Exploit Targets Widely Deployed Wireless Flaw
A security researcher has released a set of instructions for exploiting a security flaw in the wireless Internet devices built into millions of new laptops from HP, Dell, Gateway and other computer makers. An attacker could use the flaw to take complete control over any vulnerable machine located within a few hundred feet, so be forewarned that reading the rest of this post could make you awfully leery of that guy sitting in the corner booth at Starbucks gleefully clacking away on his laptop.
According to the the latest addition to the Month of Kernel Bugs project, the vulnerability resides in a flawed device driver from Broadcom Corp. that is bundled with many different laptops and built in to some devices made by Linksys and Zonet. The flaw is exploitable on vulnerable Windows machines whether or not the machine is connected to a wireless network. In fact, it is the wireless card's background scan for available wireless networks that apparently triggers the flaw.
Security researcher Johnny "Cache" Ellch said he reported the bug to Broadcom last month, and that the exploit code he released today is tailored to work on a very specific version of the Broadcom driver (Version 3.50.21.10). Still, he said, it appears that every version except a brand new one currently being distributed is vulnerable.
"The exploit only needs to be modified slightly for other versions," Ellch wrote in an online chat conversation with Security Fix.
The Broadcom flaw also highlights a serious set of problems with fixing security vulnerabilities in device-driver software. For starters, who is responsible for shipping a patch? Many different companies use Broadcom chips and rebrand the hardware and drivers as their own. Linksys appears to be the only vendor that has a downloadable update for some of its affected devices. In addition, it's not clear what sorts of mechanisms the PC makers have in place to push updates (should they become available) out to customers.
Apparently, these are questions that a number of security experts are also asking now. In an alert jointly posted today by the Zeroday Emergency Response Team (ZERT is the group that made headlines earlier this year for releasing an unofficial patch to fix a dangerous Windows flaws), the Metasploit Project, the SANS Internet Storm Center and SecuriTeam, the groups explained why writing a one-sized-fits-all patch would not work in this instance.
"Though most of these vendors and manufacturers use the same basic driver, it differs enough that in most cases a single patch just won't cut it," the groups wrote in their alert. "Further, building a patch for all the different drivers from each vendor and all their versions, as well as test against them, is impractical."
Paul Vixie, a ZERT volunteer, said Microsoft's Windows Update and Automatic Update patch deployment network could play a huge role in pushing fixes out to affected machines, but he said that process would likely be complicated and take some time.
"Any way they try to address this is going to be a mess, and moving the fix to the user is going to be a lot like moving water with a fork," Vixie said. "This is dangerous because we know that people who like to do bad things are going to take advantage of this, that's no longer an open question."
There is evidence to suggest the Linksys patch may plug the security hole in certain operating systems, but it's not altogether straightforward and we may not be at the stage where it would be responsible to explain how to do that. I suspect that a number of PC makers will come forward with updates to fix this problem in the coming days and weeks, and Security Fix will point to those as they are made available.
In the meantime, many laptops sold these days come with a button you can push to disable the built-in wireless card. If your laptop came with one of those, it might not be a bad idea to get into the habit of using it.
By Brian Krebs |
November 11, 2006; 6:08 PM ET
Latest Warnings
Previous: Microsoft to Issue Six Security Patches Next Week |
Next: A Little Patch Housekeeping
Posted by: antibozo | November 11, 2006 7:16 PM
I'm glad you said "Security researcher" versus "Security professional" - what professional would release and publicize an exploit?
Posted by: DZ | November 12, 2006 11:57 AM
>what professional would release and publicize an exploit?
Perhaps one who had reason to believe that he/she was not the only one who might have uncovered the flaw, and who was unhappy with the speed with which the responsible party(ies) were responding with a fix? Perhaps one who thought that the evidence of a working exploit (as opposed to an ambiguous warning) would help get the attention of the user base (as well as the aforementioned responsible parties), and provide the opportunity to suggest stop-gap measures, such as disabling the wireless function on your computer in situations where it is not necessary?
Hypothetical, of course.
Posted by: Peter Yellman | November 12, 2006 1:12 PM
There are two common reasons for releasing an exploit.
1. To force the vendor to issue a patch.
You might ask why this is necessary if the exploit is not released. It's necessary because the researcher has no way of knowing that he or she is the only person to have found the vulnerability--someone else may have found it and written exploit code, and may be actively exploiting the vulnerability. This is what "full disclosure" is about--making the vulnerability public knowledge eliminates the possibility that it is already being exploited by a limited population.
Many vendors, unless they know for certain that a vulnerability is being exploited, will drag their feet on producing a patch, preferring to keep their engineers on building new features, despite the fact that some users may be actively harmed. Full disclosure is arguably the most efficient way to refocus an irresponsible vendor's energy on security.
Note that the usual protocol is to inform the vendor about the vulnerability first, wait a few weeks, then inform the world. Thirty days, more or less, is the accepted window. Note that the researcher is vulnerable to accusations during that window. Suppose someone else independently discovers the vulnerability and starts exploiting it after the researcher has informed the vendor, but before public disclosure. The researcher then becomes a target for investigation because he or she is the only person the vendor can point to who had knowledge of the vulnerability.
2. So that people can independently determine whether they are vulnerable. Releasing an exploit allows the community to develop tests to determine whether a given target is vulnerable. In a case like this, where the vulnerable code may express in many different vendors' drivers, it's especially important to have a general tool for locating the ones with a problem.
Posted by: antibozo | November 12, 2006 2:41 PM
Brian: While I have been unable to get the exploit to work with my current equipment, I would offer a possible mitigation for people with XP. While the announcement says that a buffer overflow condition is triggered by a very long name attached to a malevlent wireless access point when a vulnerable box scans for local access points, I suspect -- but do not know for certain -- that the impact can be minimized by turning off the "Automatically connect to non-preferred networks" toggle. To get there, click on the START key on the lower left, then click on "connect to..." in the middle of the second column. Choose wireless, make sure the "General" tab is active on the tob left, then click on the "Properties" button on the lower left of the panel. On the bottom right, chose the "Advanced" button above the cancel button at the bottom. When the new panel pops up, uncheck the bottom line, "Automatically connect to non-preferred networks." I might also suggest choosing "Access point (infrastructure connections) only" using the radio buttons above that. Hit close, then okay. Again, not sure if this will provide any protection in this instance, but it's a good practice in any event, and shouldn't cause most people much pain.
Posted by: Dave | November 12, 2006 9:24 PM
I really don't get it. Jon and I were called fakes in August for not releasing code, now he is being called unprofessional for releasing code. You can't have it both ways, make up your mind.
Posted by: David Maynor | November 13, 2006 7:46 AM
How do you tell if you have a Broadcom Wireless driver? And how can you find out what version it is? Thanks.
Posted by: Adrian | November 13, 2006 9:53 AM
David Maynor - In this case Jon is an unprofessional non-fake, but with the other fictitious wireless issue you both were just fakes. I hope that helps clear things up.
BTW - The next time you come up with an issue be sure to provide the company in question information that would allow them to replicate your results. This is how real researchers do it.
Posted by: Bob J | November 13, 2006 12:54 PM
Bob J, what Johnny Cache did in this case is exactly what pretty much any other professional would do: notify vendor, wait thirty days, disclose to the public. By asserting he is "unprofessional", you simply demonstrate that you don't understand the protocols of the profession.
David Maynor, don't let the turkeys get you down, especially with Thanksgiving coming up soon.
Posted by: antibozo | November 13, 2006 1:04 PM
The link below specifies the generally agreed upon protocol for the disclosure of security issues. I can assure you from first hand knowledge that neither DM or JC know anything about these protocols and have only acted like preadolescences with ADD in any of their communications.
As for your statement "you simply demonstrate that you don't understand the protocols of the profession." really just underscores that you are the anti antibozo.
There is a lot more than just giving 30-days to a vendor and then publishing your findings. A real security professional would know that...
Posted by: Bob J | November 13, 2006 7:10 PM
Bob J> The link below specifies the generally agreed upon protocol for the disclosure of security issues.
You are obviously mistaken in asserting that the guidelines you cite establish the "generally agreed upon protocol" for disclosure, given that very few researchers actually follow those guidelines.
The general community follows RFPolicy:
http://www.wiretrip.net/rfp/policy.html
This establishes five working days as the minimum waiting period from contact to the researcher doing whatever he or she feels is appropriate. If you have the patience to follow full-disclosure you'll see that thirty days is generally considered a reasonable period for most vendors to prepare a patch. Every day the vulnerability is not fully disclosed is a day on which the researcher may be accused of actively exploiting it. Full disclosure is the professional's self-defense. The most cautious professional will keep that time period as short as possible, while still giving the vendor adequate time to prepare a patch.
Personally, I disclose to US-CERT and leave it to them to negotiate a public disclosure schedule with the vendor, but that is not what the majority do, and if I were interested in getting maximum credit I would do otherwise.
Bob J> I can assure you from first hand knowledge that neither DM or JC know anything about these protocols and have only acted like preadolescences with ADD in any of their communications.
Your assurance is pointless as I don't even know you. If you have further specific information to provide, that might be interesting.
Bob J> There is a lot more than just giving 30-days to a vendor and then publishing your findings.
Naturally, but that doesn't mean following that procedure is "unprofessional". This nonsense of dismissing people's actions as unprofessional is a barely disguised ad hominem attack. If you can demonstrate that JC has done something in this case that would raise eyebrows in the security community, by all means, please do. But name-calling is no substitute for evidence.
Posted by: antibozo | November 13, 2006 9:15 PM
The comments to this entry are closed.
Even laptops that don't sport a wireless disabler button usually provide a mechanism in the BIOS for disabling the wireless.