So the cool dudes at corelabs released a vuln announce and some PoC code this week that kills 2 broadcom WiFi chips: BCM4235 and BCM4329. Cut from the site (http://www.coresecurity.com/content/broadcom-input-validation-BCM4325-BCM4329)
Products containing BCM4325 and BCM4329 chipsets:
BCM4325
Apple
iPhone 3GS
Apple
iPod 2G
HTC
Touch Pro 2
HTC
Droid Incredible
Samsung
Spica
Acer
Liquid
Motorola
Devour
Ford
Edge (yes, it's a car)
|
BCM4329
Apple
iPhone 4
Apple
iPhone 4 Verizon
Apple
iPod 3G
Apple
iPad Wi-Fi
Apple
iPad 3G
Apple
iPad 2
Apple
Tv 2G
Motorola
Xoom
Motorola
Droid X2
Motorola
Atrix
Samsung
Galaxy Tab
Samsung
Galaxy S 4G
Samsung
Nexus S
Samsung
Stratosphere
Samsung
Fascinate
HTC
Nexus One
HTC
Evo 4G
HTC
ThunderBolt
HTC
Droid Incredible 2
LG
Revolution
Sony
Ericsson Xperia Play
Pantech
Breakout
Nokia
Lumina 800
Kyocera
Echo
Asus
Transformer Prime
Malata
ZPad
|
Nice list of kit there. The POC code is on the site as well, that's the easy part. Hard part was getting the dependencies: Lorcon2 | PyLorcon2 installed properly as to pick up your wifi card. Following the instructions on the corelabs referenced links is #FAIL. After figuring this out, @tothehilt produced this tried/true/tested list of steps in order to make the lulz happen.
Step One: Lorcon2
# git clone https://code.google.com/p/lorcon/ lorcon
# cd lorcon
# ./configure --prefix=/usr
# make depend
# make
# make install
# make depend
# make
# make install
Build PyLorcon2
# apt-get install libpcap-dev libnl-dev python-dev
# cd ..
# svn checkout http://pylorcon2.googlecode.com/svn/trunk/ pylorcon2
# cd pylorcon2
# python setup.py build
# python setup.py install
Test PyLorcon2
# python
Python 2.6.5 (r265:79063, Apr 16 2010, 13:09:56)
[GCC 4.4.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>>
>>> import PyLorcon2
>>>
>>> PyLorcon2.get_version()
20091101
>>> for driver in PyLorcon2.list_drivers():
... print driver
...
('madwifing', 'Linux madwifi-ng drivers, deprecated by ath5k and ath9k')
('tuntap', 'Linux tuntap virtual interface drivers')
('mac80211', 'Linux mac80211 kernel drivers, includes all in-kernel
drivers on modern systems')
>>>
Use Proof of Concept Code
# python poc.py wlan0
Have fun dropping peoples wifi!
MISC Fun Stuff Noted:
- Some devices require restart to reconnect to wifi after script is killed
- PoC code creates a SSID 'buggy' that contains the RSN/TKIP overflow magic
- Other devices not on the list act 'weird'. Exploit works if the user goes to the wireless setting screen (on phone) or wifi taskbar on laptops to look for other networks. Laptops and phones dropping due to this POC, more testing required
Refrences:
Lorcon - http://code.google.com/p/lorcon/
PyLorcon - https://code.google.com/p/pylorcon2/