WPS UPnP vulnerability with HTTP chunked transfer encoding

Jouni Malinen j
Mon May 4 01:33:08 PDT 2015 

Published: May 4, 2015
Latest version available from: http://w1.fi/security/2015-2/


Vulnerability

A vulnerability was found in the WPS UPnP function shared by hostapd
(WPS AP) and wpa_supplicant (WPS external registrar). The HTTP
implementation used for the UPnP operations uses a signed integer for
storing the length of a HTTP chunk when the chunked transfer encoding
and may end up using a negative value when the chunk length is indicated
as 0x8000000 or longer. The length validation steps do not handle the
negative value properly and may end up accepting the length and passing
a negative value to the memcpy when copying the received data from a
stack buffer to a heap buffer allocated for the full request. This
results in stack buffer read overflow and heap buffer write overflow.

Taken into account both hostapd and wpa_supplicant use only a single
thread, the memcpy call with a negative length value results in heap
corruption, but due to the negative parameter being interpreted as a
huge positive integer, process execution terminates in practice before
being able to run any following operations with the corrupted heap. This
may allow a possible denial of service attack through
hostapd/wpa_supplicant process termination under certain conditions.

WPS UPnP operations are performed over a trusted IP network connection,
i.e., an attack against this vulnerability requires the attacker to have
access to the IP network. In addition, this requires the WPS UPnP
functionality to be enabled at runtime. For WPS AP (hostapd) with a
wired network connectivity, this is commonly enabled. For WPS station
(wpa_supplicant) WPS UPnP functionality is used only when WPS ER
functionality has been enabled at runtime (WPS_ER_START command issued
over the control interface). The vulnerable functionality is not
reachable without that command having been issued.


Vulnerable versions/configurations

hostapd v0.7.0-v2.4 with CONFIG_WPS_UPNP=y in the build configuration
(hostapd/.config) and upnp_iface parameter included in the runtime
configuration.

wpa_supplicant v0.7.0-v2.4 with CONFIG_WPS_ER=y in the build
configuration (wpa_supplicant/.config) and WPS ER functionality enabled
at runtime with WPS_ER_START control interface command.


Acknowledgments

Thanks to Kostya Kortchinsky of Google Security Team for discovering and
reporting this issue.


Possible mitigation steps

- Merge the following commit and rebuild hostapd/wpa_supplicant:

  WPS: Fix HTTP chunked transfer encoding parser

  This patch is available from http://w1.fi/security/2015-2/

- Update to hostapd/wpa_supplicant v2.5 or newer, once available

- Disable WPS UPnP in hostapd runtime configuration (remove the
  upnp_iface parameter from the configuration file)

- Do not enable WPS ER at runtime in wpa_supplicant (WPS_ER_START
  control interface command)

- Disable WPS UPnP/ER from the build (remove CONFIG_WPS_UPNP=y from
  hostapd/.config and CONFIG_WPS_ER=y from wpa_supplicant/.config)

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list