cbcvebase.
CVE-2006-6332
published 2006-12-10

CVE-2006-6332: Stack-based buffer overflow in net80211/ieee80211_wireless.c in MadWifi before 0.9.2.1 allows remote attackers to execute arbitrary code via unspecified…

PriorityP356high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
19.68%
97.1th percentile
Stack-based buffer overflow in net80211/ieee80211_wireless.c in MadWifi before 0.9.2.1 allows remote attackers to execute arbitrary code via unspecified vectors, related to the encode_ie and giwscan_cb functions.

Affected

1 ranges
VendorProductVersion rangeFixed in
madwifimadwifi

Detection & IOCsextracted from sources · hover to see the quote

otherVSYSCALL JMP ESP at 0xffffe777
otherscan_iterate_ra = 0x8014401 (Ubuntu 6.10 target: return address in ieee80211_scan_iterate in wlan.ko)
bytes
\xdd + value.length.chr + value (WPA IE overflow: \xdd followed by oversized length and payload)
  • Detect oversized WPA/RSN/WME/Atheros OUI Information Elements in 802.11 beacon frames — the overflow is triggered by a crafted IE where the length field causes a stack buffer overflow in giwscan_cb via memcpy(buf, se->se_wpa_ie, se->se_wpa_ie[1] + 2).
  • Monitor for 802.11 beacon frames containing a WPA IE (tag 0xdd, OUI 00:50:f2:01) with an abnormally large length field (e.g., 0xc6 = 198 bytes) exceeding the expected buffer size.
  • The exploit path is: ieee80211_ioctl_giwscan -> ieee80211_scan_iterate -> sta_iterate -> giwscan_cb; monitor for kernel crashes or unexpected code execution originating from wlan.ko / MadWifi driver context.
  • The vulnerability is triggered by any of these crafted information elements in beacon frames: WPA, RSN, WME, and Atheros OUI. Inspect all four IE types for oversized length fields.
  • Exploit beacons use a fixed SSID IE payload of '\x00\x03\x41\x41\x41' (SSID = 'AAA') and a specific supported-rates IE '\x01\x08\x82\x84\x8b\x96\x0c\x18\x30\x48'; these static bytes can serve as a signature for the PoC exploit traffic.
  • The exploit sends approximately 10 beacon frames per second (usleep(100000)) in a loop of 10,000 iterations; high-rate beacon flooding from a single source with malformed IEs is a detection signal.
  • ·The VSYSCALL JMP ESP address 0xffffe777 is valid for Linux kernel 2.6.17; kernels >= 2.6.18 without a fixed vsyscall entry require a hardcoded kernel value instead.
  • ·The Metasploit module's 'Generic' target requires a non-randomized vDSO (ASLR disabled) to use the fixed JMPESP address 0xffffe777; randomized vDSO will cause exploitation to fail.
  • ·Red Hat Enterprise Linux 2.1, 3, 4, and 5 are not affected because the MadWifi driver is not shipped with those distributions.
  • ·The WPA IE length field in the exploit beacon is dynamically patched at runtime (FIX_BYTE macro); the exact length byte in captured frames will vary depending on pad_space and shellcode size, so length-based detection rules must use a threshold (> expected max) rather than an exact value.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.