WPS UPnP vulnerability with HTTP chunked transfer encoding Published: May 4, 2015 Identifier: CVE-2015-4141 Latest version available from: http://w1.fi/security/2015-2/ Vulnerability A vulnerability was found in the WPS UPnP function shared by hostapd (WPS AP) and wpa_supplicant (WPS external registrar). The HTTP implementation used for the UPnP operations uses a signed integer for storing the length of a HTTP chunk when the chunked transfer encoding and may end up using a negative value when the chunk length is indicated as 0x8000000 or longer. The length validation steps do not handle the negative value properly and may end up accepting the length and passing a negative value to the memcpy when copying the received data from a stack buffer to a heap buffer allocated for the full request. This results in stack buffer read overflow and heap buffer write overflow. Taken into account both hostapd and wpa_supplicant use only a single thread, the memcpy call with a negative length value results in heap corruption, but due to the negative parameter being interpreted as a huge positive integer, process execution terminates in practice before being able to run any following operations with the corrupted heap. This may allow a possible denial of service attack through hostapd/wpa_supplicant process termination under certain conditions. WPS UPnP operations are performed over a trusted IP network connection, i.e., an attack against this vulnerability requires the attacker to have access to the IP network. In addition, this requires the WPS UPnP functionality to be enabled at runtime. For WPS AP (hostapd) with a wired network connectivity, this is commonly enabled. For WPS station (wpa_supplicant) WPS UPnP functionality is used only when WPS ER functionality has been enabled at runtime (WPS_ER_START command issued over the control interface). The vulnerable functionality is not reachable without that command having been issued. Vulnerable versions/configurations hostapd v0.7.0-v2.4 with CONFIG_WPS_UPNP=y in the build configuration (hostapd/.config) and upnp_iface parameter included in the runtime configuration. wpa_supplicant v0.7.0-v2.4 with CONFIG_WPS_ER=y in the build configuration (wpa_supplicant/.config) and WPS ER functionality enabled at runtime with WPS_ER_START control interface command. Acknowledgments Thanks to Kostya Kortchinsky of Google Security Team for discovering and reporting this issue. Possible mitigation steps - Merge the following commit and rebuild hostapd/wpa_supplicant: WPS: Fix HTTP chunked transfer encoding parser This patch is available from http://w1.fi/security/2015-2/ - Update to hostapd/wpa_supplicant v2.5 or newer, once available - Disable WPS UPnP in hostapd runtime configuration (remove the upnp_iface parameter from the configuration file) - Do not enable WPS ER at runtime in wpa_supplicant (WPS_ER_START control interface command) - Disable WPS UPnP/ER from the build (remove CONFIG_WPS_UPNP=y from hostapd/.config and CONFIG_WPS_ER=y from wpa_supplicant/.config) Change history June 1, 2015 - Added CVE ID