cbcvebase.
CVE-2014-8322
published 2020-01-31

CVE-2014-8322: Stack-based buffer overflow in the tcp_test function in aireplay-ng.c in Aircrack-ng before 1.2 RC 1 allows remote attackers to execute arbitrary code via a…

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
23.93%
97.6th percentile
Stack-based buffer overflow in the tcp_test function in aireplay-ng.c in Aircrack-ng before 1.2 RC 1 allows remote attackers to execute arbitrary code via a crafted length parameter value.

Affected

7 ranges
VendorProductVersion rangeFixed in
aircrack-ngaircrack-ng<= 1.1
aircrack-ngaircrack-ng
aircrack-ngaircrack-ng>= 0 < 1:1.2-0~beta3-21:1.2-0~beta3-2
aircrack-ngaircrack-ng>= 0 < 1:1.2-0~beta3-21:1.2-0~beta3-2
aircrack-ngaircrack-ng>= 0 < 1:1.2-0~beta3-21:1.2-0~beta3-2
aircrack-ngaircrack-ng>= 0 < 1:1.2-0~beta3-21:1.2-0~beta3-2
debianaircrack-ng< aircrack-ng 1:1.2-0~beta3-2 (bookworm)aircrack-ng 1:1.2-0~beta3-2 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

pathaireplay-ng.c / tcp_test function
urlhttps://github.com/aircrack-ng/aircrack-ng/commit/091b153f294b9b695b0b2831e65936438b550d7b
  • The exploit sends a crafted TCP packet with a net_hdr structure (1-byte type=0x1, 4-byte big-endian length, followed by data). A length value inconsistent with actual payload size (PAD_BYTES=1304 bytes of 'A' followed by ROP chain) triggers the overflow in tcp_test(). Detect oversized or malformed nh_len values in connections to aireplay-ng --test listener ports.
  • Post-exploitation payload spawns a reverse shell via netcat on port 1234. Monitor for unexpected `nc -l -p 1234 -e /bin/sh` process creation or outbound connections to port 1234 from the aireplay-ng process.
  • The vulnerability is in the `tcp_test` function (aireplay-ng --test mode). Only aireplay-ng instances running in TCP test mode are exposed. Audit process command lines for `aireplay-ng --test` invocations.
  • ·The ROP gadget addresses (POP_RDI, POP_RBX, MOV_TO_RDI, SYSTEM, DATA=0x6265a0) are hardcoded for Aircrack-ng 1.2 beta3 on Kali Linux 1.0.9 x64 only. These addresses will differ on other builds, distributions, or with ASLR/PIE enabled.
  • ·The vulnerability affects Aircrack-ng versions up to and including 1.2 beta3. Versions patched at 1.2 RC1 or later (Debian: 1:1.2-0~beta3-2, Fedora: 1.2-0.3.rc1) are not vulnerable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.