Intel Wi-FiÇý¶¯Îó²îÆÊÎö

Ðû²¼Ê±¼ä 2021-04-27

Intel Wi-FiоƬÆÕ±éÓ¦ÓÃÓÚСÎÒ˽¼ÒÌõ¼Ç±¾µçÄÔ²úÆ·£¬£¬£¬£¬£¬£¬ÈçThinkPad¡¢DellÌõ¼Ç±¾µÈ¡£¡£¡£¡£¡£¡£¡£2020Ä꣬£¬£¬£¬£¬£¬ZDI×éÖ¯Åû¶ÁËIntelÎÞÏßÍø¿¨WindowsÇý¶¯³ÌÐòÖб£´æCVE-2020-0557 ºÍ CVE-2020-0558Îó²î¡£¡£¡£¡£¡£¡£¡£ÆäÖУ¬£¬£¬£¬£¬£¬CVE-2020-0557µÄCVSS v3.0ÆÀ·ÖΪ 8.1 ·Ö£¬£¬£¬£¬£¬£¬CVE-2020-0558µÄCVSS v3.0ÆÀ·ÖΪ 8.2 ·Ö¡£¡£¡£¡£¡£¡£¡£Í¨¹ýÕâÁ½¸öÎó²î£¬£¬£¬£¬£¬£¬¹¥»÷Õß¿ÉÒÔÔÚÊܺ¦ÕßµçÄÔÖÐÔ¶³ÌÖ´ÐÐí§Òâ´úÂë¡£¡£¡£¡£¡£¡£¡£


Îó²î±àºÅÓ°ÏìµÄÎÞÏßÍø¿¨Ó°ÏìÇý¶¯
CVE-2020-0557AC 7265 Rev D¡¢AC 3168¡¢AC 8265ºÍAC8260Intel PROSet/Wireless WiFi Software 21.70֮ǰ°æ±¾
CVE-2020-0558AC8265Intel PROSet/Wireless WiFi Software 21.70֮ǰ°æ±¾


CVE-2020-0558Îó²îÆÊÎö


1¡¢Îó²îÔ­Àí

µ±APÈÈÃÅ´¦Öóͷ£AssocReqʱ£¬£¬£¬£¬£¬£¬»áŲÓÃprvhPanClientSaveAssocRespº¯ÊýÉúÑÄAssocReqÖ¡ÖÐSSIDµÄÖµ£¬£¬£¬£¬£¬£¬ÔÚ´¦Öóͷ£SSIDµÄÀú³ÌÖУ¬£¬£¬£¬£¬£¬»áŲÓÃparse_ieº¯Êý´ÓÊý¾ÝÖ¡ÖÐÈ¡³össidµÄTLV½á¹¹£¬£¬£¬£¬£¬£¬²¢Å²ÓÃmemcpy_sº¯Êý½«ssidµÄÄÚÈݸ´ÖƵ½Ä¿µÄ»º³åÇø¡£¡£¡£¡£¡£¡£¡£ÔÚŲÓÃmemcpy_sº¯ÊýµÄʱ¼ä£¬£¬£¬£¬£¬£¬¹ýʧµØʹÓÃssidµÄlength×÷ΪÊý¾Ý¸´ÖƳ¤¶È£¬£¬£¬£¬£¬£¬µ±ssidµÄ³¤¶È´óÓÚÄ¿µÄ»º³åÇøµÄ³¤¶Èʱ£¬£¬£¬£¬£¬£¬»áµ¼Ö»º³åÇøÒç³ö¡£¡£¡£¡£¡£¡£¡£º¯ÊýŲÓÃͼÈçÏÂËùʾ£º


1.jpg


2¡¢ÎÊÌâ´úÂë

ŲÓÃparse_ieº¯Êý´ÓÊý¾ÝÖ¡ÖÐÈ¡³össidµÄTLV½á¹¹£¬£¬£¬£¬£¬£¬²¢Å²ÓÃmemcpy_sº¯Êý½«ssidµÄÄÚÈݸ´ÖƵ½Ä¿µÄ»º³åÇø¡£¡£¡£¡£¡£¡£¡£ÔÚŲÓÃmemcpy_sº¯ÊýµÄʱ¼ä£¬£¬£¬£¬£¬£¬¹ýʧµØʹÓÃssidµÄlength×÷ΪÊý¾Ý¸´ÖƳ¤¶È£¬£¬£¬£¬£¬£¬µ±ssidµÄ³¤¶È´óÓÚÄ¿µÄ»º³åÇøµÄ³¤¶Èʱ£¬£¬£¬£¬£¬£¬»áµ¼Ö»º³åÇøÒç³ö¡£¡£¡£¡£¡£¡£¡£ÔÚÏÂͼÖУ¬£¬£¬£¬£¬£¬¹¥»÷Õß¿ÉÒÔ¿ØÖÆ*(v8+1)µÄÖµ£¬£¬£¬£¬£¬£¬¿ÉÒÔ¿½±´³¬³¤µÄÊý¾Ý¸´ÖƵ½Ä¿µÄµØµãÖУ¬£¬£¬£¬£¬£¬´Ó¶øµ¼Ö»º³åÇøÒç³ö¡£¡£¡£¡£¡£¡£¡£ÈçÏÂͼËùʾ£º


2.jpg


3¡¢Îó²îÐÞ¸´

а汾µÄ´úÂëÖÐʹÓÃosalMemoryCopyº¯ÊýÌæ»»ÁËÔ­À´µÄmemcpy_sº¯Êý£¬£¬£¬£¬£¬£¬ÁíÍâ°ÑSSID¿½±´µÄ×î´ó³¤¶ÈÇ¿ÖÆÉèΪ32×Ö½Ú£¬£¬£¬£¬£¬£¬ÕâÑù¾Í×èÖ¹ÁË»º´æÇøÒç³öµÄÎÊÌâ¡£¡£¡£¡£¡£¡£¡£ÈçÏÂͼËùʾ£º


3.jpg


CVE-2020-0557Îó²îÆÊÎö


1¡¢Îó²îÔ­Àí

µ±APÈÈÃÅ´¦Öóͷ£AssocReqʱ£¬£¬£¬£¬£¬£¬»áŲÓÃprvhPanClientSaveAssocRespº¯Êý´¦Öóͷ£AssocReqÖ¡ÖеÄÊý¾Ý£¬£¬£¬£¬£¬£¬ÆäÖÐÔÚº¯ÊýÖлáŲÓÃprvGoVifClientAssocStoreSupportedChannelsº¯ÊýÀ´´¦Öóͷ£¼°ÉúÑÄÇëÇó¶ËͨµÀÐÅÏ¢£¬£¬£¬£¬£¬£¬ÕâÆäÖÐprvGoVifClientAssocStoreSupportedChannelsº¯Êý»áÑ­»·Å²ÓÃutilRegulatoryClassToChannelListÀ´´¦Öóͷ£RegulatoryClass£¨¹ÜÖÆÒªÇó£©ÐÅÏ¢¡£¡£¡£¡£¡£¡£¡£ÓÉÓÚÔÚÑ­»·´¦Öóͷ£Ã»ÓÐ˼Á¿Ä¿µÄµÄÆ«ÒÆÊÇ·ñÔ½½ç£¬£¬£¬£¬£¬£¬µ±APÈÈÃÅÎüÊÕµ½AssocReqÊý¾ÝÖ¡ÖÐRegulatoryClassÐÅÏ¢µ¥Î»Óжà¸öÐŵÀÊý¾Ýʱ»áµ¼ÖÂÔ½½çд¡£¡£¡£¡£¡£¡£¡£º¯ÊýŲÓÃͼÈçÏÂͼËùʾ£º


4.jpg



2¡¢ÎÊÌâ´úÂë

prvGoVifClientAssocStoreSupportedChannelsº¯Êý£¬£¬£¬£¬£¬£¬ÈçÏÂͼËùʾ£º

 

5.jpg

6.jpg


3¡¢Îó²îÐÞ¸´

ÔÚа汾 Ôö½øÁ˶ÔÄ¿½ñindexµÄÅжϣ¬£¬£¬£¬£¬£¬ÈôÊÇindex´óÓÚ255ÔòÍ˳öÑ­»·¡£¡£¡£¡£¡£¡£¡£ÈçÏÂͼËùʾ£º


7.jpg


 4¡¢Îó²îÑéÖ¤



²Î¿¼Á´½Ó£º

¡¾1¡¿https://www.thezdi.com/blog/2020/5/4/analyzing-a-trio-of-remote-code-execution-bugs-in-intel-wireless-adapters


MG±ùÇòÍ»ÆÆÊÔÍæÆð¾¢·ÀÓùʵÑéÊÒ£¨ADLab£©


ADLab½¨ÉèÓÚ1999Ä꣬£¬£¬£¬£¬£¬ÊÇÖйúÇå¾²ÐÐÒµ×îÔ罨ÉèµÄ¹¥·ÀÊÖÒÕÑо¿ÊµÑéÊÒÖ®Ò»£¬£¬£¬£¬£¬£¬Î¢ÈíMAPPÍýÏë½¹µã³ÉÔ±£¬£¬£¬£¬£¬£¬¡°ºÚȸ¹¥»÷¡±¿´·¨Ê×ÍÆÕß¡£¡£¡£¡£¡£¡£¡£×èÖ¹ÏÖÔÚ£¬£¬£¬£¬£¬£¬ADLabÒÑͨ¹ýCVEÀÛ¼ÆÐû²¼Çå¾²Îó²î½ü1100¸ö£¬£¬£¬£¬£¬£¬Í¨¹ý CNVD/CNNVDÀÛ¼ÆÐû²¼Çå¾²Îó²î1000Óà¸ö£¬£¬£¬£¬£¬£¬Ò»Á¬¼á³Ö¹ú¼ÊÍøÂçÇå¾²ÁìÓòÒ»Á÷Ë®×¼¡£¡£¡£¡£¡£¡£¡£ÊµÑéÊÒÑо¿Æ«Ïòº­¸Ç²Ù×÷ϵͳÓëÓ¦ÓÃϵͳÇå¾²Ñо¿¡¢ÖÇÄÜÖÕ¶ËÇå¾²Ñо¿¡¢ÎïÁªÍøÖÇÄÜ×°±¸Çå¾²Ñо¿¡¢WebÇå¾²Ñо¿¡¢¹¤¿ØϵͳÇå¾²Ñо¿¡¢ÔÆÇå¾²Ñо¿¡£¡£¡£¡£¡£¡£¡£Ñо¿Ð§¹ûÓ¦ÓÃÓÚ²úÆ·½¹µãÊÖÒÕÑо¿¡¢¹ú¼ÒÖصã¿Æ¼¼ÏîÄ¿¹¥¹Ø¡¢×¨ÒµÇ徲ЧÀ͵È¡£¡£¡£¡£¡£¡£¡£


adlab.jpg