← Advisories

eEye Retina WiFi Security Scanner 1.0 (.rws Parsing) Buffer Overflow PoC

Medium
Advisory ID
ZSL-2009-4917
Release Date
10 July 2009
Vendor
eEye Digital Security Inc. - http://www.eeye.com
Affected Version
1.0.8.68
CVE
CVE-2009-3859
Tested On
Microsoft Windows XP Professional SP3 (English)
Summary

Retina WiFi Scanner is a tool to be used to detect IEEE 802.11 (WiFi) based devices.

Note: The tool is implemented as part of the eEye's Retina Network Security Scanner package.

Description

A vulnerability has been identified in eEye Retina WiFi Scanner, which could be exploited by attackers to compromise a vulnerable system. This issue is caused by a buffer overflow error when processing wireless scan fles (i.e. ".RWS") containing overly long data, which could be exploited by attackers to crash an affected application or execute arbitrary code by tricking a user into opening a malicious file.

(1268.dd8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=41414141 ebx=00000003 ecx=000006d8 edx=00000000 esi=0000006c edi=10264da0 eip=1001dcce esp=0012e72c ebp=0012e754 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 *** Defaulted to export symbols for [path]\WiFiCore.dll - WiFiCore!LibWifi_ReportHTML+0x1b48e: 1001dcce f644300401 test byte ptr [eax+esi+4],1 ds:0023:414141b1=?? 0:000> g (1268.dd8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000010 ebx=41414141 ecx=00000000 edx=41414141 esi=00001000 edi=41414150 eip=7c809eda esp=00121484 ebp=001214b0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 *** Defaulted to export symbols for [path]\kernel32.dll - kernel32!IsBadReadPtr+0x39: 7c809eda 8a02 mov al,byte ptr [edx] ds:0023:41414141=??
Proof of Concept
retinawifi_bof.pyTXT
Disclosure Timeline
16.05.2009Vulnerability discovered.
16.05.2009Initial contact with the vendor with description included + screenshot + proof of concept code.
18.05.2009Vendor contacted again for confirmation of the vulnerability because of no reply from previous e-mail.
18.05.2009Vendor replied and acknowledged the vulnerability. Patch development process in progress.
25.05.2009Vendor contacted for information on patch development and its release process because of our advisory disclosure policy.
29.05.2009Vendor contacted again for information on patch development because of no reply from previous e-mail.
29.05.2009Vendor answered. Bug fixes scheduled within next week.
08.06.2009Vendor contacted for an accurate date of a patch release or scheduled bug fix time line information.
08.06.2009Vendor replied and confirmed that the vulnerability has been mitigated and passed the QA. The fix will be introduced in the next release of the product. Scheduled date for the release of the update is not yet known...or...it's unknown :).
12.06.2009Vendor informs that the fix will be released along with the new scheduled release of the Retina package approximately on 29th of June.
29.06.2009Contacted the vendor, asked for a more accurate (fixed) date of the release.
29.06.2009Vendor says that the patch is being tested by the QA team along with other program fixes. Vendor will contact me after the tests, with the results from the same.
06.07.2009Sent an e-mail to the vendor stating that the advisory is planned to be published on 10th of july because of internal company reasons.
10.07.2009Vendor releases patch: http://download.eeye.com/html/products/retinawireless/
10.07.2009Public advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
High five to Greg Linares
References
[1]http://research.eeye.com/html/advisories/published/AD20090710.html
[2]http://secunia.com/advisories/35786/
[3]http://www.securityfocus.com/bid/35624
[4]http://securityreason.com/exploitalert/6564
[5]http://www.packetstormsecurity.org/filedesc/retinawifi-overflow.txt.html
[6]http://www.milw0rm.com/exploits/9114
[7]http://osvdb.org/55744
[8]http://xforce.iss.net/xforce/xfdb/51625
[9]http://www.juniper.net/security/auto/vulnerabilities/vuln35624.html
[10]http://securitytracker.com/id?1022534
[11]http://www.vupen.com/english/advisories/2009/1862
[12]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3859
[13]https://nvd.nist.gov/vuln/detail/CVE-2009-3859
Changelog
10.07.2009Initial release
25.10.2021Added reference [12] and [13]