The Month of Kernel Bugs (MoKB) released an advisory (MOKB-11-11-2006) today on a wireless vulnerability in Broadcom's wireless driver.
ZERT sees this vulnerability as critical, but can not patch it. This advisory comes to explain why this is a critical issue, why we can't patch it, and what can be done.
MoKB's advisory states: "The Broadcom BCMWL5.SYS
wireless device driver is vulnerable to a stack-based buffer overflow that
can lead to arbitrary kernel-mode code execution. This particular
vulnerability is caused by improper handling of 802.11 probe responses
containing a long SSID field. The BCMWL5.SYS driver is bundled with new
PCs from HP, Dell, Gateway, eMachines, and other computer manufacturers.
Broadcom has released a fixed driver to their partners, which are in turn
providing updates for the affected products. Linksys, Zonet, and other
wireless card manufactures also provide devices that ship with this
Technical information about this flaw can be found in the MoKB advisory:
Q: Why is this vulnerability dangerous? It's local; it can not be used through the Internet.
A: Although it can not be exploited over the Internet, it can be used against your computer from a distance. If you are near other users with laptops, you are at risk. If you are at an airport, coffee shop, or using your computer with the wireless card enabled in any public place, you are at risk. It is remote by the means of RF transmissions, the distance is dependent on the attacker's antenna and signal strength.
Windows is exploitable without the existence of an Access Point (AP) or any interaction from the user. The card's background scan of available wireless networks triggers the flaw.
Q: How easy would it be to build a tool to attack with?
A: The tool already exists. An exploit is available in the development version of the Metasploit Framework (3.0) and can be used to inject any standard Windows payload into a vulnerable system.
Q: How come this affects different vendors, why are these drivers the same?
A: Broadcom has deals with many different companies which incorporate Broadcom chipsets in their wireless devices. All devices that use broadcom chips, among them many laptops made by Dell and HP, as well as wireless network cards made by vendors like Linksys, share the same basic driver.
Q: What about these other vendors whose drivers are vulnerable?
A: Install the latest driver for your respective wireless card. Each OEM's driver is slightly different. Currently, we are only aware of a driver from Linksys which specifically patches this problem. It may work for other Broadcom based cards as well, but there it is hard to predict.
Many vendors have released drivers that are more recent then the driver
Q: Why is ZERT not releasing a patch for this vulnerability?
A: Although most of these vendors and manufacturers use the same basic driver, it differs enough that in most cases a single patch just won't cut it. Further, building a patch for all the different drivers from each vendor and all their versions, as well as test against them, is impractical.
Metaphorically, it is similar to FreeBSD TCP Stack vulnerability from a few years ago. Almost all operating systems used this open source stack, and thus were all vulnerable despite using different binaries and changed code.
Q: If and when all vendors and manufacturers release patches, how will these be distributed?
A: Other than publishing the update on their web sites, several vendors and manufacturers such as Dell have automatic update services similar to Microsoft's. Others don't and many of their clients are likely to remain vulnerable for some time to come.
Q: Is it possible for Microsoft to push this update through their automatic updates system?
A: We believe that has been done before (last week as an example, with a smaller Broadcom update). However, the only answer to that question can come from Microsoft. Patching third party software is never an easy task, even if in collaboration with the third party. Microsoft potentially helping to patch this third-party issue could be of a significant help to get ahead of this threat.
H D Moore, Gadi Evron and Johannes Ullrich