Richi Jennings

Nasty Wi-Fi 'sploit from MoKB (and golf POV aid)

November 13, 2006 5:55 AM EST
Don't point that cantenna at IT Blogwatch, in which the Month of Kernel Bugs project (MoKB) finds a doozy of an exploit for many Wi-Fi drivers. Not to mention a golf swing training aid using persistence of vision...

Brian Krebs explains:
A security researcher has released a set of instructions for exploiting a security flaw in the wireless Internet devices built into millions of new laptops ... An attacker could use the flaw to take complete control over any vulnerable machine located within a few hundred feet, so be forewarned that reading the rest of this post could make you awfully leery of that guy sitting in the corner booth at Starbucks gleefully clacking away on his laptop.

According to the the latest addition to the Month of Kernel Bugs project, the vulnerability resides in a flawed device driver from Broadcom Corp. that is bundled with many different laptops and built in to some devices made by Linksys and Zonet. The flaw is exploitable on vulnerable Windows machines whether or not the machine is connected to a wireless network. In fact, it is the wireless card's background scan for available wireless networks that apparently triggers the flaw. Security researcher Johnny "Cache" Ellch said he reported the bug to Broadcom last month
...
The Broadcom flaw also highlights a serious set of problems with fixing security vulnerabilities in device-driver software. For starters, who is responsible for shipping a patch? Many different companies use Broadcom chips and rebrand the hardware and drivers as their own. Linksys appears to be the only vendor that has a downloadable update for some of its affected devices. In addition, it's not clear what sorts of mechanisms the PC makers have in place to push updates (should they become available) out to customers.
...
In the meantime, many laptops sold these days come with a button you can push to disable the built-in wireless card. If your laptop came with one of those, it might not be a bad idea to get into the habit of using it.
ZERT's H D Moore, Gadi Evron, and Johannes Ullrich have an advisory:
This is a Zeroday Emergency Response Team (ZERT) advisory, released jointly with the Metasploit project, the SANS Internet Storm Center (ISC) and SecuriTeam. ZERT sees this vulnerability as critical, but can not patch it.
...
Although it can not be exploited over the Internet, it can be used against your computer from a distance. If you are near other users with laptops, you are at risk. If you are at an airport, coffee shop, or using your computer with the wireless card enabled in any public place, you are at risk. It is remote by the means of RF transmissions, the distance is dependent on the attacker's antenna and signal strength. Windows is exploitable without the existence of an Access Point (AP) or any interaction from the user. The card's background scan of available wireless networks triggers the flaw.
...
An exploit ... already exists.
...
We believe that [Microsoft has pushed similar updates through Windows Update] before (last week as an example, with a smaller Broadcom update). However, ... patching third party software is never an easy task, even if in collaboration with the third party. Microsoft potentially helping to patch this third-party issue could be of a significant help to get ahead of this threat.
Symantec's Shunichi Imano has more:
A machine is vulnerable to the exploit if the computer has a susceptible Broadcom Wireless-N network card, and is running the drivers in question. Unfortunately, due to the nature of wireless networking, all that is required of the attacker is to be within range of the vulnerable machine. Because this vulnerability occurs at an extremely low level within the networking protocol, there may be difficulties in detecting these attacks using standard IDS/IPS methods.

Symantec Security Response recommends that you update the wireless driver as soon as possible, if your computer is running a vulnerable version of the Broadcom Wireless driver. Otherwise, you should avoid using your wireless card to connect to networks in insecure areas, and also be aware of the risk involved when connecting wirelessly.
So what is MoKB? Matthew Murphy interviewed one of the team:
The Month of Kernel Bugs aims to demonstrate the current state of kernel code in the different operating systems available today, from a security/quality perspective. Using simple tools and procedures, the strength of the different interfaces in the kernel (ex. Linux) can be tested against common flaws. One of the procedures that has been demonstrated as highly effective is ‘fuzzing’ (basically giving crafted, yet ‘valid’ inputs to software in order to test how well it handles unexpected conditions).
...
Kernel security ... isn’t as crowded as user-land security, imposes a nice challenge and is actually taken less seriously, and less people are looking on it. ... Kernel-land issues are certainly much more tedious to work with than user-land ones. Typically you only have one chance to fail ... You make it page fault, and it’s gone.
...
It will bring some attention, hopefully. It will educate some people. It will discourage some parties from obscuring potential issues, etc. Actually I’m not a full disclosure fan, but in the end it’s the companies and corporations that deal with FUD who have advantages when security flaws aren’t exposed ... I’m doing their job. They get paid for preventing such issues from happening ... We all make mistakes, but not everyone accepts it.
Glenn Fleishman reminds us:
You’ll recognize Ellch’s name from the August through October soap opera in which Ellch and colleague David Maynor first apparently stated that they had found weaknesses in certain drivers that allowed non-associated Wi-Fi adapter attacks through weak drivers, and either implied or stated that this included Apple’s Mac OS X operating system and associated Wi-Fi drivers.

The two researchers later couldn’t be pinned down on precisely what they did say, and Apple denied that the researchers provided them with information that led to patches later released for OS X to fix what Apple described as flaws that hadn’t yet been exploited. (Those flaws involved malformed frames, a higher-level and more generic problem; they don’t appear to be identical in nature to this Broadcom vulnerability. Ellch’s methodology in discovering the flaw was apparently the same.)
...
In this current case, it looks like Ellch gets to smell like a rose with no dispute over process, proof, or results. First, he revealed the exploit privately to Broadcom with sufficient advance word that Broadcom could create a patch that Linksys was able to incorporate by Nov. 6. Second, his disclosure is fully documented. Third, the disclosure has an excellent social purpose, as well, as it will force manufacturers that may have dallied on providing fixes or full disclosures of this risk (if they knew about it), to push patches out right away.
Linux kernelista Dave Jones:
Attacks on wireless drivers seem to be en vogue, and will probably become more of a target, even open source ones. Fuzzing tools for wireless have been available for a while now, so I'm actually surprised we haven't seen more fall out here. (The calm before the storm?)

It's also surprising it's taken so long for people to realise this attack vector. Back in 2001/2002, at the Ottawa Linux Symposium, a lot of people were finding their laptops randomly rebooting every so often. After a while a pattern emerged. Every one of those affected was running the orinoco wireless driver. Turns out having a few dozen kernel hackers in the same place is a great way to get bugs like this fixed :) In short order, a number of people were auditting the driver, and found at least one case lacking a bounds check. The check was added, along with a printk to confirm the hypothesis. Sure enough, the AP was sending out frames that the driver wasn't prepared to handle.

That was several years ago, and it wouldn't surprise me at all to hear that there are other wireless drivers with similar problems. Hopefully it doesn't take a few dozen kernel hackers meeting up annually to discover them next time.
Jimmy Daniels worries:
I get the feeling that we will see lots of botnets created from public wireless access points from now on, since driver updates aren’t usually pushed as critical updates are from Microsoft, this could get ugly.
But Frederick Wamsley asks, "Hype or Horror?":
There are two bits of good news in this. One is that there's no evidence that bad guys are actually attacking through this security hole (yet). The other is that it's not the kind of attack that pays big money for them. They could only infect a few computers at a time, or at most several dozen, with an attack like this. They could get tens of thousands of zombie computers under their control by using an Internet-based attack.
kahunak offers this workaround:
You can also replace the bcmwl5.sys file, usually located at C:\WINDOWS\SYSTEM32\DRIVERS with the one provided by linksys, just download linksys drivers from here , extract them, disable your network adapter, copy the new bcmwl5.sys (make a backup of your own bcmwl5.sys just in case...) and activate the card again. It is a temporary solution but it's better than nothing and you don't change the name of your network card. Tested on a Dell MiniPCI 1300 WLAN and it works.
Buffer overflow:
Around the Net Around Computerworld Previously in IT Blogwatch
And finally... Golf swing POV training aid
Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richij.com.