Wi-Fi SSID names could allow to crash or hack mobile devices

Security researchers discovered a bug in WiFi SSID management that could be exploited by hackers to crash Android, Windows, Linux systems or hack them.

In an e-mail published on the Open Source Software Security (oss-security) mailing list, a user reported a serious vulnerability that could allow attackers to crash devices or even potentially inject malware into their system by using crafted P2P SSID names.

The flaw was discovered by the security team at Alibaba and reported to wpa_supplicant maintainer Jouni Malinen by the Google security team.

The attack occurs via a malicious wireless peer-to-peer network name, the attack relies in how wpa_supplicant “uses SSID information parsed from management frames that create or update P2P peer entries” in the list of available networks.

The experts explained that the flaw is similar to the Heartbleed bug, with the difference that the wpa_supplicant vulnerability could allow an attacker to access the contents of memory and modify it.

The flaw is related to wrong validation of data, in particular, the check for the length of transmitted data. An attacker can use a P2P SSID names that exceed the valid 32 octets of data to memory allocated and writes information beyond this memory space. The attack allows hackers to write data in memory causing wpa_supplicant and Wi-Fi service to crash resulting in a DoS attack on affected devices. The attacker just has to send responses to Wi-Fi probe requests or P2P network Public Action messages. The attacker could exploit the flaw also to expose memory contents during the three-way handshake of a peer-to-peer network negotiation or potentially run arbitrary code on the target system.

SSID information “is transmitted in an element that has a 8-bit length field and potential maximum payload length of 255 octets,” Malinen wrote, and the code “was not sufficiently verifying the payload length on one of the code paths using the SSID received from a peer device. This can result in copying arbitrary data from an attacker to a fixed length buffer of 32 bytes (i.e., a possible overflow of up to 223 bytes). The overflow can override a couple of variables in the struct, including a pointer that gets freed. In addition, about 150 bytes (the exact length depending on architecture) can be written beyond the end of the heap allocation.”

While the attack is very difficult to run if the target device isn’t actively using P2P Wi-Fi connections, it is possible use a malicious SSIS,  “evil SSID”, to cause denial of service without a P2P network. The good new is the availability of a patch for the vulnerability, Google will include it for its Android system in one of the next security updates.

It is important to remark that the vulnerability in the Wi-Fi security could leave also Windows and Linux devices open to DoS attack.

Pierluigi Paganini

(Security Affairs –  P2P, SSID)