TITLE: KisMAC Cisco Vendor Tag SSID Parsing Buffer Overflow SECUNIA ADVISORY ID: SA19354 VERIFY ADVISORY: http://secunia.com/advisories/19354/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From remote SOFTWARE: KisMAC 0.x http://secunia.com/product/2073/ DESCRIPTION: Stefan Esser has reported a vulnerability in KisMAC, which potentially can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in the "WavePacket:parseTaggedData()" function when parsing the Cisco vendor tag for additional SSIDs in a received 802.11 management frame. This can be exploited to cause a stack-based buffer overflow and potentially allows arbitrary code execution. Successful exploitation requires that the user is e.g. tricked into opening a malicious pcap file containing special-crafted management frames, or via raw management frames that are sent onto the wireless network while the user is performing a passive network scan. The vulnerability has been reported in versions prior to R73p and is reportedly introduced in version R54. SOLUTION: Update to version R73p. http://kismac.de/download.php The vulnerability has also been fixed in developer version 113. PROVIDED AND/OR DISCOVERED BY: Stefan Esser, Hardened-PHP Project. ORIGINAL ADVISORY: KisMAC: http://kismac.de/_trac/changeset/113 Hardened-PHP Project: http://www.hardened-php.net/advisory_032006.115.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------