CVE-2017-11669
Description
Out-of-bounds read in eapmd5pass 1.4 allows remote attackers to crash the process via crafted network packets causing denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Out-of-bounds read in eapmd5pass 1.4 allows remote attackers to crash the process via crafted network packets causing denial of service.
Vulnerability
An out-of-bounds read flaw exists in the assess_packet function in eapmd5pass.c:211 of eapmd5pass version 1.4. The software is used for cracking EAP-MD5 hashes and processes network packets. A remote attacker can trigger this bug by sending specially crafted traffic to the vulnerable service.
Exploitation
The attacker requires network access to the target running eapmd5pass. By generating specially crafted network packets and transmitting them to the service, the out-of-bounds read occurs in the assess_packet function. No authentication or user interaction is needed. The bug was discovered via fuzzing with libFuzzer and AddressSanitizer [1].
Impact
Successful exploitation leads to a crash of the eapmd5pass process, resulting in denial of service. The impact is limited to availability; no evidence of code execution or information disclosure is provided in the available sources [1].
Mitigation
As of the available references, no official patch or fixed version has been released for eapmd5pass 1.4. Users may consider disabling or restricting access to the service until a fix is available. The software is shipped with Kali Linux [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2cpe:2.3:a:eapmd5pass_project:eapmd5pass:1.4:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:eapmd5pass_project:eapmd5pass:1.4:*:*:*:*:*:*:*
- (no CPE)range: = 1.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing packet length validation before dereferencing IEEE 802.2 header fields in assess_packet allows out-of-bounds read."
Attack vector
An attacker sends a specially crafted network packet that is too small to contain a valid IEEE 802.2 header [ref_id=1]. When `assess_packet` processes the undersized packet, it reads `dsap` and `ssap` fields from memory beyond the packet buffer, causing an out-of-bounds read [CWE-125] [ref_id=1]. The attack requires no authentication and can be delivered remotely over the network (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Affected code
The vulnerability is in the `assess_packet` function in `eapmd5pass.c` at line 211 [ref_id=1]. The function reads from a `dot2hdr` structure without first validating that the packet is large enough to contain the expected IEEE 802.2 header fields [ref_id=1].
What the fix does
The patch adds a minimum packet length check at the beginning of `assess_packet`: if `offset + sizeof(struct dot11hdr) > h->caplen`, the function returns early [ref_id=1]. This ensures the packet is large enough to contain the expected 802.11 header before any fields are dereferenced, preventing the out-of-bounds read [ref_id=1]. The advisory notes that similar validation checks should be added at other places in the same function [ref_id=1].
Preconditions
- networkThe attacker must be able to send network traffic that reaches the eapmd5pass process (e.g., via a crafted .pcap file processed with -r)
- authNo authentication required
- inputThe crafted packet must be smaller than the minimum size needed to contain a valid IEEE 802.2 header
Reproduction
Run `./eapmd5pass -r crash-9a3774d38a5959db160a2564c1487c57f2b336b9 -w wordlist` [ref_id=1]. The AddressSanitizer output confirms a heap-buffer-overflow READ of size 1 at `assess_packet` line 211 [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- openwall.com/lists/oss-security/2017/07/31/3nvdExploitMailing ListThird Party Advisory
News mentions
0No linked articles in our index yet.