[GLLUG] Broadcom NdisWrapper driver vulnerability
Stanley C. Mortel
mortel at cyber-nos.com
Tue Nov 14 22:27:18 EST 2006
Just a "heads-up" for anyone not plugged into the security lists. This is
mainly a Windows problem (big surprise) but the indication that Linux users
might be at risk via the NdisWrapper, together with the widespread use of
Broadcom chips and their "issues" with Linux, resulting in the use of
NdisWrapper, prompted me to send this out to the list.
***************
Windows laptops with wireless cards that use Broadcom device drivers
(Broadcom chips are used in machines from HP, Dell, Gateway, and
eMachines) are directly vulnerable to the attack that has gotten so much
press on Macintosh wireless. You are vulnerable if your wireless card
is turned on, even if you are not connected to a wireless access point.
(1) HIGH: Broadcom Wireless Device Driver Buffer Overflow
Affected:
Broadcom BCMWL5.SYS Driver version 3.50.21.10 and possibly prior
Description: The Broadcom BCWML5.SYS device driver, used to control
Broadcom wireless cards, contains a buffer overflow vulnerability. By
sending an overly-long SSID in a probe response, an attacker could
exploit this buffer overflow and take complete control of the vulnerable
system. No authentication is required, and attackers need only be within
wireless range of the vulnerable system. This driver is primarily
designed for Microsoft Windows systems, but it is believed to be
compatible with the "NdisWrapper" cross-platform driver framework,
making it possible to run this driver under Linux on the Intel platform.
This vulnerability was discovered as part of a project to discover bugs
in various operating systems' kernels. A working exploit is available
for this vulnerability. This vulnerability is similar to one discovered
for Mac OS X and documented in an earlier issue of @RISK.
Status: Some vendors have supplied patches for this vulnerability for
their wireless cards.
References:
Month of Kernel Bugs Security Advisory
http://projects.info-pull.com/mokb/MOKB-11-11-2006.html
Metasploit Exploit Module
http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/driver/broadcom_wifi_ssid.rb
Broadcom Wireless Home Page
http://www.broadcom.com/products/Wireless-LAN
Wikipedia Entry on Device Drivers
http://en.wikipedia.org/wiki/Device_Driver
NdisWrapper Home Page
http://ndiswrapper.sourceforge.net/
Previous @RISK Entry
http://www.sans.org/newsletters/risk/display.php?v=5&i=31#vulnerabilities1
****************************
Stan Mortel
mortel at cyber-nos.com
****************************
More information about the linux-user
mailing list