Discovering and exploiting 802.11 wireless driver vulnerabilities

Journal in Computer Virology

Volumn 4, Issue 1, 2008, Pages 25-37

  Butti, Laurent ^a   Tinnés, Julien ^a  

^a ORANGE LABS   (France)

Author keywords

[No Author keywords available]

Indexed keywords

FUZZY SYSTEMS; SECURITY OF DATA;

KERNEL STACK OVERFLOW; SUCCESSFUL EXPLOITATION; WIRELESS DRIVER VULNERABILITIES;

WIRELESS LOCAL AREA NETWORKS (WLAN);

EID: 38849204787     PISSN: 17729890     EISSN: 17729904     Source Type: Journal    
DOI: 10.1007/s11416-007-0065-x     Document Type: Article

References (39)

1. IEEE: local and metropolitan area networks, specific requirements, part 11: Wireless LAN Medium Access Control (MAC) and physical layer (PHY) specifications (1997-1999)
2. Cache, J., Maynor, D.: Device drivers, http://www.blackhat.com/ presentations/bh-usa-06/BH-US-06-Cache.pdf (2006)
3. Black Hat Conference: http://www.blackhat.com
4. Cache, J., Maynor, D.: Hijacking a MacBook in 60 seconds. http://www.youtube.com/watch?v=chtQ1bcHLZQ (2006)
5. James, W.: Thompson's blog, http://he-colo.netgate.com/archives/00000465. htm (2006)
6. Cédric Blancher's blog: http://sid.rstack.org/blog/index.php/2006/ 10/02/133-se-paierait-on-notre-pomme (2006)
7. Maynor, D.: Its V-A day.... http://erratasec.blogspot.com/2007/02/its-v- day.html (2007)
8. Lemos, R.: Maynor reveals missing apple flaws http://www.securityfocus. com/news/11445 (2007)
9. Johnny Cache's mail: http://lists.immunitysec.com/pipermail/dailydave/ 2006-September/003459.html (2006)
10. Wikipedia, Rings: http://en.wikipedia.org/wiki/ Ring_%28computer_security%29
11. Miller B.: Fuzz testing of application reliability, http://www.cs.wisc. edu/bart/fuzz/ (1990-2006)
12. Fuzzing Mailing List: The definition of what a fuzzer really is... is fuzzy, http://www.whitestar.linuxbox.org/pipermail/fuzzing/2006-May/000033.html (2006)
13. Month of Browser Bugs: http://browserfun.blogspot.com/ (2006)
14. Month of Kernel Bugs: http://kernelfun.blogspot.com/ (2006)
15. Month of Apple Bugs: http://applefun.blogspot.com/ (2007)
16. Month of PHP Bugs: http://www.php-security.org/ (2007)
17. L.M.H.: fsfuzzer, http://projects.info-pull.com/mokb/fsfuzzer-0.6-lmh.tgz (2006)
18. Jean Tourillhes: Wireless Tools for Linux, http://www.hpl.hp.com/ personal/Jean_Tourrilhes/Linux/Tools.html, 1996-2007
19. Dino, A., Zovi D., Macaulay, S.: Attacking automatic wireless network selection, http://www.theta44.org/karma/aawns.pdf (2005)
20. Toast: airpwn, http://sourceforge.net/projects/airpwn (2004-2006)
21. Blancher, C.: wifitap, http://sid.rstack.org/index.php/Wifitap (2005-2006)
22. Butti, L.: Raw Glue AP, http://rfakeap.tuxfamily.org/ (2005-2006)
23. Cache, J.: fuzz-e, http://www.802.11mercenary.net/code/airbase-latest- svn.tar.gz (2006)
24. NetStumbler.com, NetStumbler, http://www.netstumbler.com/ (2001-2007)
25. Wright, J., Too, S.O., Kershaw, M.: 802.11b firmware-level attacks, http://802.11ninja.net/papers/firmware_attack.pdf (2006)
26. Multiband Atheros Driver for Wireless Fidelity: madwifi, http://www.madwifi.org/ (2004-2006)
27. Aircrack-ng: madwifi-ng injection patch, http://patches.aircrack-ng.org/ madwifi-ng-r1816.patch (2006)
28. Wright, J., Kershaw, M.: Loss of radio connectivity, http://www.802. 11mercenary.net/lorcon/ (2006-2007)
29. Cache, J., Moore, H.D.: skape, exploiting 802.11 wireless driver vulnerabilities on windows, http://www.uninformed.org/?v=6&a=2&t=sumry (2006)
30. Biondi, P.: Scapy, http://www.secdev.org/scapy (2003-2007)
31. Metasploit, L.L.C.: Metasploit, http://www.metasploit.com/, 2003-2007
32. Butti, L.: NetGear MA521 wireless driver long rates overflow (CVE-2006-6059), http://kernelfun.blogspot.com/2006/11/mokb-18-11-2006-netgear- ma521-wireless.html (2006)
33. Butti, L.: NetGear WG311v1 wireless driver long SSID overflow (CVE-2006-6125), http://kernelfun.blogspot.com/2006/11/mokb-22-11-2006-netgear- wg311v1.html (2006)
34. Butti, L.: D-link DWL-G650+ wireless driver long TIM overflow (CVE-2007-0933), http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0933 (2007)
35. Butti, L.: Wi-Fi advanced fuzzing, http://www.blackhat.com/html/bh- europe-07/bh-eu-07-speakers.html#Butti (2007)
36. Butti, L., Razniewski, J., Tinnés, J.: Madwifi SIOCSIWSCAN vulnerability (CVE-2006-6332), http://archives.neohapsis.com/archives/dailydave/ 2006-q4/0291.html (2006)
37. Madwifi : Release 0.9.2.1 fixes critical security issue, http://kernelfun.blogspot.com/2006/11/mokb-22-11-2006-netgear-wg311v1.html (2006)
38. Tinnés, J., Butti, L.: madexploit.c, http://archives.neohapsis. com/archives/dailydave/2006-q4/att-0298/madexploit.c (2006)
39. Guillot, Y.: metasm, http://www.sstic.org/SSTIC07/programme.do#GUILLOT (2006-2007)