Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code Execution Bug In Broadcom Wi-Fi Driver

Posted by Zonk on from the catch-that-insect dept.

2U*U2 writes to mention an EWeek article about an entry in the Month of Kernel Bugs. John Ellch has discovered a critical vulnerability in the Broadcom wireless driver: a driver used in machines from HP, Dell, Gateway, and eMachines. From the article: "[The bug] is a stack-based buffer overflow in the Broadcom BCMWL5.SYS wireless device driver that could be exploited by attackers to take complete control of a Wi-Fi-enabled laptop. The vulnerability is caused by improper handling of 802.11 probe responses containing a long SSID field and can lead to arbitrary kernel-mode code execution. The volunteer ZERT (Zero Day Emergency Response Team) warns that the flaw could be exploited wirelessly if a vulnerable machine is within range of the attacker."

8 of 157 comments (clear)

  1. So... by radu.stanca · · Score: 4, Insightful

    ...the BlackHat presentation this Johnny Cache gave was not just FUD, he really did find bugs in wireless drivers.

    1. Re:So... by node+3 · · Score: 2, Insightful
      You can delude yourself all you want.
      In what way am I deluding myself? In every conceivable way, the hackers in question have failed to give me any reason to believe they actually had an exploit against Apple's AirPort drivers.

      Sure, it's *possible* they really had an exploit, and they just don't care if anyone believes them. But given they've not given me a reason to believe them, why on earth should I?

      Even worse, they've never even made it clear EXACTLY WHAT their claim is. In other words, they've never stated, clearly, that they actually had a working exploit against Apple's AirPort drivers.

      What makes you want to so strongly defend such an ambiguous claim that has such little evidence?
  2. Broadcom neglegance by Anonymous Coward · · Score: 2, Insightful

    They either 1) dont run static analysers or 2) run them but punted the bug

    Which is it Broadcom? Either way it is neglegance. Im tired of developers spouting hot air about being Accountable, Responsible and Reliable etc blah blah and especially practicing good engineering and hearing design patterns yawn. I hear it every day, I worked as a dev and left it as its the same old shit every day day in day out, same for test.

    We have tools, run them, we have practices, use them.

    If those are not good enough, retool and reorg.

    Oh wait, its business not engineering, sorry my bad :)

    Engineering is a blue collar job today, it should not be called "science" it is not science. Wise up.

    1. Re:Broadcom neglegance by Anonymous Coward · · Score: 1, Insightful

      They probably don't even Thread Model their products or run injectors and fuzzers.

      More fool them. Its pure and simply, bad engineering, product design and management.

  3. User space device drivers by camcorder · · Score: 4, Insightful

    There's a discussion about having user space device drivers for usb wireless sticks and some other drivers as well for linux kernel. I hope this kind of attack vectors encourage kernel developers to go in this way. Keeping stuff in user space as much as it allows would again let Linux to be secure-by-design once again. Currently couple of tools (like wpa_supplicant) running in user space, and I wonder their situation in Windows kernel. If they are not (which I guess they are not -because microsoft is known to be putting huge code into kernel level) then that's a huge problem from security perspective.

  4. Re:Please stop using C. by FireFury03 · · Score: 5, Insightful

    C is the source of all these problems. Please stop using it.

    It's not that simple. C is used in high performance code specifically because it's fast and compact. You get these improvements by avoiding needless length checking. Obviously there are cases where you _do_ need to length check buffers (and exploits are the result of not doing this), but you don't have to length check everything. If you ditch C in favour of a language that does the length checking for you then you will sacrifice speed and compactness since it will be checking _everything_.

    What language would you suggest is more suitable for writing high performance kernel code?

    --
    http://blog.nexusuk.org
  5. It has to be said... by Anonymous Coward · · Score: 2, Insightful

    As the number of cases of these driver-flaw attacks mounts, I think it is fair to say the OpenBSD stance on proprietary driver 'blobs' has been fully vindicated. When they took this stance, a fair number of Slashdot posters were publically knocking them as unrealistic-paranoid-idealists. Well here you have it -- deep-fried crow ... yum.

  6. Re:Will this help? by enosys · · Score: 2, Insightful

    I'm not sure it's especially hard to write a secure wireless driver. It's more probable that they just didn't think very much about security when writing drivers.