Advisories
eEye Retina Wireless Scanner .RWS File Processing Memory Corruption
Release Date:
July 10, 2009
Date Reported:
May 16, 2009
Patch Development Time (In Days):
Severity:
Moderate (Memory corruption with potential to execute arbitrary code)
Vendor:
eEye Digital Security
Systems Affected:
Microsoft Windows
Overview:
The reported vulnerability originates from the way that Retina Wireless handles .RWS files - a file format used to save wireless scan information that is specific to Retina Wireless. The RWS file processing functions contain improper boundary checking which could corrupt memory, potentially leading to the execution of arbitrary code under rare scenarios. There are several mitigating factors users should take into account for this vulnerability. First, the .RWS file type is not automatically associated with Retina Wireless Scanner, meaning that the file must be manually opened from within Retina Wireless. Attackers wishing to leverage this vulnerability could not rely on a victim double-clicking a file from an email or website and having an exploit run. Next, while the proof of concept code causes the application to crash, it does not execute arbitrary code. It should also be noted that this vulnerability is unique to the RWS file format and not over the air transmissions, meaning attackers cannot set up a malicious wireless device and distribute this attack.
Technical Details:
The RWS file format which is unique to Retina Wireless Scanner for loading saved Wireless traffic communication, contains several entity fields that represent different 802.11 data structures.
By inserting an overly long entity without a terminating character in one of these data fields, when loaded into Retina Wireless Scanner, a statically sized buffer can be overflowed resulting in a memory corruption scenario.
For further details please see the discovery advisory at - http://www.zeroscience.org/codes/retinawifi_bof.txt
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability with audit "9058 - eEye Digital Security Retina Wireless Scanner Security Update (20090710)"
Blink Endpoint Vulnerability Prevention preemptively protects from this vulnerability.
Vendor Status:
eEye Digital Security has issued a security update for this product. This fix is implemented in Retina Network Security Scanner 5.10.15 and is available for download from the eEye Clients Portal ( http://www.eeye.com/clients) or by using the eEye Auto-Updater. Users of the discontinued stand-alone version of the Retina Wireless Scanner can download an update from the Retina Wireless download page.
Credit:
Gjoko Krstic aka "LiquidWorm"
Copyright (c) 1998-2010 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
July 10, 2009
Date Reported:
May 16, 2009
Patch Development Time (In Days):
 |
|
|
|
| 55 |
Severity:
Moderate (Memory corruption with potential to execute arbitrary code)
Vendor:
eEye Digital Security
Systems Affected:
Microsoft Windows
Overview:
The reported vulnerability originates from the way that Retina Wireless handles .RWS files - a file format used to save wireless scan information that is specific to Retina Wireless. The RWS file processing functions contain improper boundary checking which could corrupt memory, potentially leading to the execution of arbitrary code under rare scenarios. There are several mitigating factors users should take into account for this vulnerability. First, the .RWS file type is not automatically associated with Retina Wireless Scanner, meaning that the file must be manually opened from within Retina Wireless. Attackers wishing to leverage this vulnerability could not rely on a victim double-clicking a file from an email or website and having an exploit run. Next, while the proof of concept code causes the application to crash, it does not execute arbitrary code. It should also be noted that this vulnerability is unique to the RWS file format and not over the air transmissions, meaning attackers cannot set up a malicious wireless device and distribute this attack.
Technical Details:
The RWS file format which is unique to Retina Wireless Scanner for loading saved Wireless traffic communication, contains several entity fields that represent different 802.11 data structures.
By inserting an overly long entity without a terminating character in one of these data fields, when loaded into Retina Wireless Scanner, a statically sized buffer can be overflowed resulting in a memory corruption scenario.
For further details please see the discovery advisory at - http://www.zeroscience.org/codes/retinawifi_bof.txt
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability with audit "9058 - eEye Digital Security Retina Wireless Scanner Security Update (20090710)"
Blink Endpoint Vulnerability Prevention preemptively protects from this vulnerability.
Vendor Status:
eEye Digital Security has issued a security update for this product. This fix is implemented in Retina Network Security Scanner 5.10.15 and is available for download from the eEye Clients Portal ( http://www.eeye.com/clients) or by using the eEye Auto-Updater. Users of the discontinued stand-alone version of the Retina Wireless Scanner can download an update from the Retina Wireless download page.
Credit:
Gjoko Krstic aka "LiquidWorm"
Copyright (c) 1998-2010 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
