Wireless Security
MS09-049: Vista Wireless LAN Autoconfig Service Code Execution Vulnerability Sep 11 2009 10:16AM
Joshua Wright (jwright hasborg com)
Hash: SHA1

I'm including a write-up from the SANS @RISK vulnerability alert system
below. With Vista, Microsoft re-wrote the native wireless stack,
reducing the amount of packet-handling code an independent hardware
vendor (IHV) had to do and standardizing the functionality of wireless
interface. One one hand, this was great, as it meant that we could
quell the stream of vulnerabilities in wireless drivers from Atheros,
Broadcom, Intel and more, relying instead on the Microsoft-native code
for handling 802.11 frames.

On the other hand, now every Vista client with a wireless card (that
hasn't yet patched) is vulnerable to a drive-by wireless exploit. While
wireless driver vulnerabilities have been known to affect XP, it was
difficult to use them since targeting a vulnerable client is difficult
(knowing what driver they are using, for example, is possible but hard
and impractical today). With the Vista stack, that isn't an issue, as
it's trivial to identify a Vista vs. XP box from observing the client
activity over the air.

I'm still supportive of Microsoft's change to unify the wireless stack
on Vista since it has a lot of other practical benefits over the prior
XP model, plus many users who take advantage of auto update will be
patched shortly (much better than XP where drivers were almost never
updated, unless done manually). Still, as a 0-day, this one is pretty

- -Josh

p.s. Last chance to register for my SANS Institute course Ethical
Hacking Wireless, where we cover wireless driver exploits and more
wireless hacking than you can shake a stick at, delivered live at home
(by me) once a week for 12 weeks. Class starts Wednesday night. Sign up
now and get a free Kindle v2!
http://www.sans.org/vlive/details.php?nid=19608 (enter "kindle" as the
discount code).

- --

(6) CRITICAL: Microsoft Windows Wireless LAN Autoconfig Service Code
Execution Vulnerability (MS09-049)
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service
Pack 2
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for
32-bit Systems Service Pack 2*
Windows Server 2008 for x64-based Systems and Windows Server 2008 for
x64-based Systems Service Pack 2*

Description: Microsoft Windows Wireless LAN Autoconfig Service
(Wlansvc), a service used to configure wireless connectivity
settings and security, has been found to have a heap-based buffer
overflow vulnerability. The issue is caused by inadequate validation
of malformed frames received on a wireless network. A wireless
transmitter that transmits specially crafted frame can be used to
trigger this vulnerability provided the wireless network interface is
enabled. Successful exploitation might allow an attacker to execute
arbitrary code in the context of the logged on user. Technical details
for this vulnerability are not available.

Status: Vendor confirmed, updates available.

Microsoft Security Bulletin
Vendor Home Page
SecurityFocus BID
Version: GnuPG v1.4.9 (MingW32)


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus