[GLLUG] Broadcom NdisWrapper driver vulnerability
Clay Dowling
clay at lazarusid.com
Wed Nov 15 09:36:13 EST 2006
And this, my friends, is exactly why the OpenBSD team is so uptight about
using closed drivers provided by the hardware company. Not that I'm
looking to start a holy war here, just saying that the fact that they're
paranoid doesn't mean that they're wrong.
Clay Dowling
Stanley C. Mortel said:
> Just a "heads-up" for anyone not plugged into the security lists. This is
> mainly a Windows problem (big surprise) but the indication that Linux
> users
> might be at risk via the NdisWrapper, together with the widespread use of
> Broadcom chips and their "issues" with Linux, resulting in the use of
> NdisWrapper, prompted me to send this out to the list.
>
> ***************
>
> Windows laptops with wireless cards that use Broadcom device drivers
> (Broadcom chips are used in machines from HP, Dell, Gateway, and
> eMachines) are directly vulnerable to the attack that has gotten so much
> press on Macintosh wireless. You are vulnerable if your wireless card
> is turned on, even if you are not connected to a wireless access point.
>
> (1) HIGH: Broadcom Wireless Device Driver Buffer Overflow
> Affected:
> Broadcom BCMWL5.SYS Driver version 3.50.21.10 and possibly prior
>
> Description: The Broadcom BCWML5.SYS device driver, used to control
> Broadcom wireless cards, contains a buffer overflow vulnerability. By
> sending an overly-long SSID in a probe response, an attacker could
> exploit this buffer overflow and take complete control of the vulnerable
> system. No authentication is required, and attackers need only be within
> wireless range of the vulnerable system. This driver is primarily
> designed for Microsoft Windows systems, but it is believed to be
> compatible with the "NdisWrapper" cross-platform driver framework,
> making it possible to run this driver under Linux on the Intel platform.
> This vulnerability was discovered as part of a project to discover bugs
> in various operating systems' kernels. A working exploit is available
> for this vulnerability. This vulnerability is similar to one discovered
> for Mac OS X and documented in an earlier issue of @RISK.
>
> Status: Some vendors have supplied patches for this vulnerability for
> their wireless cards.
>
> References:
> Month of Kernel Bugs Security Advisory
> http://projects.info-pull.com/mokb/MOKB-11-11-2006.html
> Metasploit Exploit Module
> http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/driver/broadcom_wifi_ssid.rb
> Broadcom Wireless Home Page
> http://www.broadcom.com/products/Wireless-LAN
> Wikipedia Entry on Device Drivers
> http://en.wikipedia.org/wiki/Device_Driver
> NdisWrapper Home Page
> http://ndiswrapper.sourceforge.net/
> Previous @RISK Entry
> http://www.sans.org/newsletters/risk/display.php?v=5&i=31#vulnerabilities1
>
>
> ****************************
> Stan Mortel
> mortel at cyber-nos.com
> ****************************
>
> _______________________________________________
> linux-user mailing list
> linux-user at egr.msu.edu
> http://mailman.egr.msu.edu/mailman/listinfo/linux-user
>
--
Simple Content Management
http://www.ceamus.com
More information about the linux-user
mailing list