Edit Report

Our sensors found this exploit at:

Below is a copy:

Hash: SHA1

Happy PPC Hacking Project

-= Security  Advisory =-

Advisory: KisMAC Cisco Vendor Tag Encapsulated SSID Overflow
 Release Date: 2006/03/23
Last Modified: 2006/03/23
       Author: Stefan Esser [sesser (at) hardened-php (dot) net [email concealed]]

Application: KisMAC < dev version 113
               KisMAC < 73p
     Severity: Special crafted 80211 management frames may cause
               a stackoverflow that eventually leads to remote
               code execution
         Risk: Critical
Vendor Status: Vendor has a released an updated version


Quote from
   "KisMAC is a free stumbler application for MacOS X, that puts 
   your card into the monitor mode. Unlike most other applications 
   for OS X it has the ability to run completely invisible and 
   send no probe requests."
   While playing around with wifi, raw packets, MacOS X, ppc and
   KisMAC a quick audit revealed a remotely triggerable buffer
   overflow in KisMAC's parser for tagged data in 80211 management 
   frames, that can lead to execution of arbitrary code.
   To exploit this vulnerability an attacker must either trick the
   victim in opening a pcap file containing the special crafted
   management frames OR the attacker must send such raw frames
   while the victim is performing a passive network scan.


When KisMAC receives a 80211 management frame (or finds one in
   a imported pcap file) it parses the attached tagged data with
   the function WavePacket:parseTaggedData. With the help of this
   method the SSID, the channel and the rates get extracted from 
   the management packet.
   The function in question also supports a special Cisco vendor tag,
   which is scanned by KisMAC for additional SSIDs. Unfortunately it 
   then copies the SSIDs found into a 33 bytes big stackbuffer 
   without any kind of size check. 
      slen = (*(ssidl + 5));  // <-- reading SSID length (UINT8)
      ssidl += 6;
      if ((len -= slen) < 0) break;
      @try  {
         memcpy(ssid, ssidl, slen);  // <-- copying without check into 33
                                     //     bytes big stackbuffer
         [_SSIDs addObject:[NSString stringWithUTF8String:ssid]];
      @catch (NSException *exception) {
         [_SSIDs addObject:[NSString stringWithCString:(char*)(ssidl) length:slen]];
   Due to the try/catch block around the memcpy() the stacklayout
   allows to overwrite the jump_buf for setjmp/longjump which are
   used for the exception handling. This actually means it is not 
   only possible to control the execution flow by manipulating the 
   program counter (pc) but also to have control over the content 
   of all registers once the execution flow has been manipulated.
   It should be obvious that this eventually leads to the execution 
   of arbitrary code.

Proof of Concept:

The Happy PPC Hacking Project is not going to release exploits 
   for this vulnerability to the public.

Disclosure Timeline:

22. March 2006 - Contacted KisMAC developers by email
   22. March 2006 - Vendor releases KisMAC update
   23. March 2006 - Public Disclosure


It is strongly recommended to upgrade to the newest version of
   KisMAC which you can download at:


pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1

Copyright 2006 Stefan Esser. All rights reserved.

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see


Copyright ©2023 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.