CVE-2021-1965 PoC — 多款Qualcomm产品输入验证错误漏洞

Source

https://github.com/parsdefense/CVE-2021-1965

Associated Vulnerability

Title:多款Qualcomm产品输入验证错误漏洞 (CVE-2021-1965)
Description:Qualcomm QCA6574AU等都是美国高通（Qualcomm）公司的产品。QCA6574AU是一款中央处理器（CPU）产品。SDX55是一款调制解调器。IPQ6018是一款中央处理器（CPU）产品。 qualcomm 多款产品存在输入验证错误漏洞，该漏洞源于WLAN主机通信中MBSSID扫描IE解析时缺少参数长度检查。攻击者可利用该漏洞可以向设备发送专门设计的通信，触发内存损坏，并在目标系统上执行任意代码。

Description

CVE-2021-1965 WiFi Zero Click RCE Trigger PoC

Readme

# CVE-2021-1965
CVE-2021-1965 WiFi Zero Click RCE Trigger PoC

Compile: make

BE SURE THAT monitor mode is enabled on your wifi card and interface name is updated here:

https://github.com/parsdefense/CVE-2021-1965/blob/main/CVE-2021-1965-poc.c#L158

This is a quick&dirty Proof-of-Concept code to verify if your phone is vulnerable. After running the poc code, your phone is supposed to crash&reboot within seconds. In case you need more info about the bug & vulnerable code, here you are:

Description: Possible buffer overflow due to lack of parameter length check during MBSSID scan IE parse

During multiple BSSID scan ie parse, there is memory allocation on new_ie variable of size 1024 which may create buffer overflow in util_gen_new_ie() if ie length is greater than 1024.

https://source.codeaurora.org/quic/qsdk/platform/vendor/qcom-opensource/wlan/qca-wifi-host-cmn/commit/?id=a426e5e1668fff3dfe8bde777a9340cbc129f8df

File Snapshot


 [4.0K]  /data/pocs/423e629c9978f69ed65ca23f9793a0d4964047ef
├── [ 16K]  CVE-2021-1965-poc.c
├── [1.0K]  LICENSE.md
├── [ 105]  Makefile
└── [ 930]  README.md

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!