Saturday, November 11, 2006

Lỗi nghiêm trọng trong device driver của hãng Broadcom

Dự án Month of Kernel Bug vừa mới thông báo một lổ hổng nghiêm trọng trong driver cho card wireless của hãng Broadcom:
The Broadcom BCMWL5.SYS wireless device driver is vulnerable to a stack-based buffer overflow that can lead to arbitrary kernel-mode code execution. This particular vulnerability is caused by improper handling of 802.11 probe responses containing a long SSID field. The BCMWL5.SYS driver is bundled with new PCs from HP, Dell, Gateway, eMachines, and other computer manufacturers. Broadcom has released a fixed driver to their partners, which are in turn providing updates for the affected products. Linksys, Zonenet, and other wireless card manufactures also provide devices that ship with this driver.

All tests were performed with version 3.50.21.10 of the BCMWL5.SYS driver. Although this driver is for the Windows operating system, Linux and FreeBSD users of the ndiswrapper tool should determine if they are using BCMWL5.SYS and upgrade accordingly.
Internet Storm Center cũng có một bài phân tích sơ bộ về lổ hổng này:
  • Only effects the wireless driver, not the broadcom wired cards.
  • The resepective file is BCMWL5.SYS Version 3.50.21.10 (this is the version pointed out as vulnerable. Others may be vulnerable as well).
  • Only Linksys published an official update at this time.
  • Other vendors have later versions of this file available as patches. It is not clear if they patch the problem or not.
  • The problem is triggered by an overly long SSID
  • the MOKB project published a metasploit module to ease exploitation of this problem.
Go ahead and patch your driver with whatever version they offer. If you get a chance, test the exploit and see if it works against some of the later versions. Of course, take care when doing so. The "known to be fixed" version from Linksys is 4.100.15.5.

Whenever you don't use your wireless network, turn off the wireless card. In particular if you are in a public space (airport, hotel).
Một module khai thác lổ hổng này cũng đã được đưa vào Metasploit. Eo ôi, sợ quá! Cái máy Dell e1505 của tôi cũng sử dụng wireless card của Broadcom, đi upgrade thôi!

Cập nhật lúc 1:55PM GMT+7: ZERT vừa đưa ra FAQ về lổ hổng này. Đây là một lổ hổng cực kì nghiêm trọng, đề nghị những ai sử dụng laptop nên kiểm tra và nhanh chóng upgrade nếu như sử dụng card wireless của Broadcom.

No comments: