Wireless Vulnerabilities & Exploits
Wireless Vulnerabilities & Exploits
WVE ID: WVE-2006-0071
Type: Vulnerability
Status: Candidate
Classification:
Hijacking
Input Manipulation
Design Flaw
Description:
The Broadcom BCMWL5.SYS wireless device driver is vulnerable to a stack-based buffer overflow that can lead to arbitrary kernel-mode code execution. This particular vulnerability is caused by improper handling of 802.11 probe responses containing a long SSID field.
Discussion:
This vulnerability only applies to the Windows platform or to Linux and BSD systems using ndiswrapper with the Windows driver. The BCMWL5.SYS driver is bundled with new PCs from HP, Dell, Gateway, eMachines, and other computer manufacturers. Version 3.50.21.10 of the driver is known to be vulnerable and it is likely that other versions are vulnerable as well. Broadcom has released a fixed driver to their partners, which are in turn providing updates for the affected products. Linksys, Zonet, and other wireless card manufactures also provide devices that ship with this driver.
An exploit for the vulnerability has been added to the Metasploit framework. The vulnerability does not require that the client be associated with an AP, simply that it is in range of the PC running the exploit. Because it allows remote code execution in the kernel it potentially allows an attacker to completely take over the target PC.
Credits
Author:
Johnny
Cache
(johnnycsh@802.11mercenary.com)
: None
Author:
Chris
Eagle
: None
References
URL:
http://projects.info-pull.com/mokb/MOKB-11-11-2006.html
URL:
http://isotf.org/advisories/zert-01-111106.htm
Released: 2006-11-11
Submitter
Chris
Waters
(cwaters@networkchemistry.com)
: Network Chemistry
Submitted: Mon Nov 13 15:27:12 -0800 2006
Candidate Date: Mon Nov 13 15:29:19 -0800 2006
