Sunday, October 28, 2012

Dependency Hell is Still Warm - Broadcom WiFi DoS

**** props to @tothehilt (on da twitters)

So the cool dudes at corelabs released a vuln announce and some PoC code this week that kills 2 broadcom WiFi chips:  BCM4235 and BCM4329.  Cut from the site (http://www.coresecurity.com/content/broadcom-input-validation-BCM4325-BCM4329)


Products containing BCM4325 and BCM4329 chipsets:
BCM4325
           Apple iPhone 3GS
           Apple iPod 2G
           HTC Touch Pro 2
           HTC Droid Incredible
           Samsung Spica
           Acer Liquid
           Motorola Devour
           Ford Edge (yes, it's a car)

BCM4329
           Apple iPhone 4
           Apple iPhone 4 Verizon
           Apple iPod 3G
           Apple iPad Wi-Fi
           Apple iPad 3G
           Apple iPad 2
           Apple Tv 2G
           Motorola Xoom
           Motorola Droid X2
           Motorola Atrix
           Samsung Galaxy Tab
           Samsung Galaxy S 4G
           Samsung Nexus S
           Samsung Stratosphere
           Samsung Fascinate
           HTC Nexus One
           HTC Evo 4G
           HTC ThunderBolt
           HTC Droid Incredible 2
           LG Revolution
           Sony Ericsson Xperia Play
           Pantech Breakout
           Nokia Lumina 800
           Kyocera Echo
           Asus Transformer Prime
           Malata ZPad

Nice list of kit there.  The POC code is on the site as well, that's the easy part.  Hard part was getting the dependencies: Lorcon2 | PyLorcon2 installed properly as to pick up your wifi card.  Following the instructions on the corelabs referenced links is #FAIL.  After figuring this out, @tothehilt produced this tried/true/tested list of steps in order to make the lulz happen.
Step One: Lorcon2
      # git clone https://code.google.com/p/lorcon/ lorcon
    # cd lorcon
    # ./configure --prefix=/usr
    # make depend
    # make
    # make install

Build PyLorcon2

          # apt-get install libpcap-dev libnl-dev python-dev
    # cd ..
    # svn checkout http://pylorcon2.googlecode.com/svn/trunk/ pylorcon2
    # cd pylorcon2
    # python setup.py build
    # python setup.py install


Test PyLorcon2


# python
        Python 2.6.5 (r265:79063, Apr 16 2010, 13:09:56)
        [GCC 4.4.3] on linux2
        Type "help", "copyright", "credits" or "license" for more information.
        >>>
        >>> import PyLorcon2
        >>>
        >>> PyLorcon2.get_version()
        20091101
        >>> for driver in PyLorcon2.list_drivers():
        ...     print driver
        ...
        ('madwifing', 'Linux madwifi-ng drivers, deprecated by ath5k and ath9k')
        ('tuntap', 'Linux tuntap virtual interface drivers')
        ('mac80211', 'Linux mac80211 kernel drivers, includes all in-kernel
drivers on modern systems')
        >>>

Use Proof of Concept Code

# python poc.py wlan0


Have fun dropping peoples wifi!

MISC Fun Stuff Noted:
  • Some devices require restart to reconnect to wifi after script is killed
  • PoC code creates a SSID 'buggy' that contains the RSN/TKIP overflow magic
  • Other devices not on the list act 'weird'.  Exploit works if the user goes to the wireless setting screen (on phone) or wifi taskbar on laptops to look for other networks.  Laptops and phones dropping due to this POC, more testing required