Vulnerabilities > CVE-2006-6332 - Remote Buffer Overflow vulnerability in Madwifi 0.9.2.1
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Stack-based buffer overflow in net80211/ieee80211_wireless.c in MadWifi before 0.9.2.1 allows remote attackers to execute arbitrary code via unspecified vectors, related to the encode_ie and giwscan_cb functions.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
description madwifi <= 0.9.2.1 WPA/RSN IE Remote Kernel Buffer Overflow Exploit. CVE-2006-6332. Remote exploit for linux platform id EDB-ID:3389 last seen 2016-01-31 modified 2007-03-01 published 2007-03-01 reporter Massimiliano Oldani source https://www.exploit-db.com/download/3389/ title madwifi <= 0.9.2.1 WPA/RSN IE Remote Kernel Buffer Overflow Exploit description Madwifi < 0.9.2.1 SIOCGIWSCAN Buffer Overflow. CVE-2006-6332. Remote exploit for linux platform id EDB-ID:10024 last seen 2016-02-01 modified 2006-12-08 published 2006-12-08 reporter Julien Tinnes source https://www.exploit-db.com/download/10024/ title Madwifi < 0.9.2.1 - SIOCGIWSCAN Buffer Overflow description Madwifi SIOCGIWSCAN Buffer Overflow. CVE-2006-6332. Remote exploit for linux platform id EDB-ID:16835 last seen 2016-02-02 modified 2010-09-20 published 2010-09-20 reporter metasploit source https://www.exploit-db.com/download/16835/ title Madwifi SIOCGIWSCAN Buffer Overflow
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200612-09.NASL description The remote host is affected by the vulnerability described in GLSA-200612-09 (MadWifi: Kernel driver buffer overflow) Laurent Butti, Jerome Raznieski and Julien Tinnes reported a buffer overflow in the encode_ie() and the giwscan_cb() functions from ieee80211_wireless.c. Impact : A remote attacker could send specially crafted wireless WPA packets containing malicious RSN Information Headers (IE) that could potentially lead to the remote execution of arbitrary code as the root user. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 23861 published 2006-12-14 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/23861 title GLSA-200612-09 : MadWifi: Kernel driver buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200612-09. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(23861); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:43"); script_cve_id("CVE-2006-6332"); script_bugtraq_id(21486); script_xref(name:"GLSA", value:"200612-09"); script_name(english:"GLSA-200612-09 : MadWifi: Kernel driver buffer overflow"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200612-09 (MadWifi: Kernel driver buffer overflow) Laurent Butti, Jerome Raznieski and Julien Tinnes reported a buffer overflow in the encode_ie() and the giwscan_cb() functions from ieee80211_wireless.c. Impact : A remote attacker could send specially crafted wireless WPA packets containing malicious RSN Information Headers (IE) that could potentially lead to the remote execution of arbitrary code as the root user. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200612-09" ); script_set_attribute( attribute:"solution", value: "All MadWifi users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-wireless/madwifi-ng-0.9.2.1'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:madwifi-ng"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2006/12/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/14"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-wireless/madwifi-ng", unaffected:make_list("ge 0.9.2.1"), vulnerable:make_list("lt 0.9.2.1"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MadWifi"); }NASL family SuSE Local Security Checks NASL id SUSE_MADWIFI-2370.NASL description The madwifi-ng Atheros Wireless LAN card driver is subject to a remotely exploitable stack-based buffer overflow, this update fixes this problem. (CVE-2006-6332) This update also brings madwifi to version 0.9.2.1. last seen 2020-06-01 modified 2020-06-02 plugin id 29516 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29516 title SuSE 10 Security Update : madwifi (ZYPP Patch Number 2370) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-404-1.NASL description Laurent Butti, Jerome Razniewski, and Julien Tinnes discovered that the MadWifi wireless driver did not correctly check packet contents when receiving scan replies. A remote attacker could send a specially crafted packet and execute arbitrary code with root privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 27992 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27992 title Ubuntu 6.10 : linux-restricted-modules-2.6.17 vulnerability (USN-404-1)
Packetstorm
| data source | https://packetstormsecurity.com/files/download/82241/madwifi_giwscan_cb.rb.txt |
| id | PACKETSTORM:82241 |
| last seen | 2016-12-05 |
| published | 2009-10-27 |
| reporter | Laurent Butti |
| source | https://packetstormsecurity.com/files/82241/Madwifi-SIOCGIWSCAN-Buffer-Overflow.html |
| title | Madwifi SIOCGIWSCAN Buffer Overflow |
Statements
| contributor | Mark J Cox |
| lastmodified | 2007-04-17 |
| organization | Red Hat |
| statement | Not vulnerable. The MadWiFi wireless driver is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. |
References
- http://lists.immunitysec.com/pipermail/dailydave/2006-December/003888.html
- http://madwifi.org/changeset/1842
- http://madwifi.org/wiki/news/20061207/release-0-9-2-1-fixes-critical-security-issue
- http://secunia.com/advisories/23277
- http://secunia.com/advisories/23335
- http://secunia.com/advisories/23694
- http://security.gentoo.org/glsa/glsa-200612-09.xml
- http://www.kb.cert.org/vuls/id/925529
- http://www.novell.com/linux/security/advisories/2006_28_sr.html
- http://www.novell.com/linux/security/advisories/2006_74_madwifi.html
- http://www.securityfocus.com/bid/21486
- http://www.ubuntu.com/usn/usn-404-1
- http://www.vupen.com/english/advisories/2006/4901
- https://exchange.xforce.ibmcloud.com/vulnerabilities/30800