Serious Wireless Exploit Released

An exploit involving a wireless driver created by Broadcom Corp. that is built into millions of new laptops created by HP, Dell, Gateway and other computer makers as well as some devices made by Linksys and Zonet, has been released, it is for a specific version, but the writer says it could easily be modified to different versions from different manufacturers. The flaw could be used to take complete control of any vulnerable machine that is within a few hundred feet. This flaw is active on most of these machines because of the background checking it does for wireless networks, so even if it is not connected to a wireless network, it is vulnerable.

A security researcher has released a set of instructions for exploiting a security flaw in the wireless Internet devices built into millions of new laptops from HP, Dell, Gateway and other computer makers. An attacker could use the flaw to take complete control over any vulnerable machine located within a few hundred feet, so be forewarned that reading the rest of this post could make you awfully leery of that guy sitting in the corner booth at Starbucks gleefully clacking away on his laptop.

According to the latest addition to the Month of Kernel Bugs project, the vulnerability resides in a flawed device driver from Broadcom Corp. that is bundled with many different laptops and built in to some devices made by Linksys and Zonet. The flaw is exploitable on vulnerable Windows machines whether or not the machine is connected to a wireless network. In fact, it is the wireless card’s background scan for available wireless networks that apparently triggers the flaw. Source: Exploit Targets Widely Deployed Wireless Flaw from SecurityFix via Faill.com

Here is a quote from the original post and a link to it.

The Broadcom BCMWL5.SYS wireless device driver is vulnerable to a stack-based buffer overflow that can lead to arbitrary kernel-mode code execution. This particular vulnerability is caused by improper handling of 802.11 probe responses containing a long SSID field. The BCMWL5.SYS driver is bundled with new PCs from HP, Dell, Gateway, eMachines, and other computer manufacturers. Broadcom has released a fixed driver to their partners, which are in turn providing updates for the affected products. Linksys, Zonet, and other wireless card manufactures also provide devices that ship with this driver. Source: Broadcom Wireless Driver Probe Response SSID Overflow

This could be a SERIOUS problem in the future, some organizations use Dell exclusively for their laptops, if they don’t come up with an easy way to update these laptops to the latest driver, lots of people could be exploited. I can see a whole new crop of botnets springing from Internet cafes, and places that allow free wireless internet access. Someone setting outside with a better antenna could seriously take advantage of some organizations, this could get ugly. Ask your resellers about it now, not later, and get them working on an easy solution for you.

Update: George OU, who writes Real World IT blog at zdnet, has some more information and a fix posted using an updated Linksys driver. The exploit no longer functions with this driver, but they have only tested it on a couple devices, while it should on work on most, I would think, there is always a chance something could go wrong.

Yes this is an UGLY solution but it’s all we have at this point. Broadcom should have provided certified drivers to Microsoft for inclusion in Windows Update but they didn’t. But even then, Microsoft device driver updates are never pushed out as automatic critical updates and we all know that if it isn’t automatic and seamless it probably won’t get done. This is something Microsoft needs to address with the PC industry in general because driver exploits are becoming very common and very dangerous. Source: Real World IT