13 November 2006, 13:15

Security hole in WLAN driver

Windows drivers for Broadcom WLAN hardware are the latest items highlighted as part of the Month of Kernel Bugs (MoKB) project. Jon Ellch has reported that a vulnerability in the drivers allows attackers to gain control of the system. Broadcom chips are often found in products from other manufacturers. A demonstration module showing how the hole is exploited and how arbitrary code could be injected is already available for the Metasploit framework 3.

The driver is thrown off kilter during the processing of what are known as probe response packets that have a long entry in the SSID network name. This causes a buffer overflow. Background scans for access points can allow attackers to exploit the hole as soon as the WLAN hardware is activated – such as in airports, train stations, or hotels.

The security hole is within the Broadcom driver BCMWL5.SYS with version number 3.50.21.10, although other driver versions may also be affected. A new version of the driver, 4.100.15.5, is already available for the Linksys laptop WLAN card WPC300N; the FrSIRT advisory reports that the update no longer contains the flaw.

The security hole is not just a matter for Windows users. Linux and FreeBSD users who integrate their WLAN hardware using the NDIS wrapper are also potentially threatened.

Broadcom is purported to have already distributed updated drivers to hardware makers like HP, Dell, Gateway and Linksys. Users of those brands of hardware should immediately install the new drivers as they become available.

The MoKB project has also listed two other Linux vulnerabilities since Friday. Specially manipulated file streams could allow attackers to execute a denial of server attack on drivers for the ext2 and ext3 file streams. To provoke the bug, the victim must actually read the rigged file stream; simply engaging the file stream is not enough on its own.