Exploit Released For Broadcom Wireless Flaw

driver buffer

The flaw relates to how the driver handles 802.11 requests with a long service set identifier, or SSID, which differentiates WLANs from one another. Attackers could send a specially designed packet to trigger a buffer overflow and execute malicious code on the target PC, according to an advisory issued Monday by Danish security research firm Secunia.

The open-source vulnerability testing framework Metasploit has published an exploit for the vulnerability, which affects PCs running Windows 2000 and XP.

Broadcom wireless driver version 3.50.21.10 is affected by the flaw, but other versions also may be vulnerable, Secunia said. Broadcom has released a patched driver to its vendor partners, which are releasing updates for their affected products.

The flaw was discovered by security researcher Johnny Cache as part of the Month of Kernel Bugs project, (MoKB). MoKB, which is publishing an exploit per day to highlight common kernel attacks, kicked off on Nov. 1 with details of a vulnerability affecting Apple's AirPort wireless drivers.

The Zeroday Emergency Response Team (ZERT), a group of independent security researchers who work to release patches for critical vulnerabilities in advance of vendors' patch releases, said in an advisory that anyone using a notebook with wireless enabled in a public place is at risk. The fact that the wireless card scans in the background for available wireless networks means that Windows-based notebooks can be exploited without a WLAN access point or user interaction, according to the ZERT advisory.

The issues exposed by the Broadcom wireless driver flaw are relevant to the arguments being made against security in Vista, said Joe Bardwell, president and chief scientist at Connect802, a San Ramon, Calif.-based wireless integrator.

Symantec and McAfee have claimed that Microsoft has locked down the Vista kernel too tightly for their security products to provide protection. But Bardwell said it's likely that Vista wouldn't allow third-party code -- such as code that would be injected through the Broadcom wireless driver vulnerability -- to operate at the kernel level.

Symantec's Deepsight Threat Management System gave the Broadcom vulnerability an aggregate score of 9.8 on a 10-point scale, and the French Security Incident Research Team (FrSIRT) labeled the flaw as "critical," or 4 on a 4-point scale. However, Secunia saw the risk as less severe, rating it "moderately critical," or 3 on a scale of 5.