The Month of Kernel Bugs project (MoKB), started by Metasploit creator H.D. Moore, revealed in an advisory Saturday that Broadcom's wireless drivers are vulnerable to a "stack-based buffer overflow that can lead to arbitrary kernel-mode code execution."
"Although it cannot be exploited over the internet, it can be used against your computer from a distance," according to a follow-up advisory issued Saturday by the Zeroday Emergency Response Team. "If you are near other users with laptops, you are at risk. If you are at an airport, coffee shop or using your computer with the wireless card enabled in a public place, you are at risk."
Moore, director of security research at Austin, Texas-based BreakingPoint Systems, told SCMagazine.com today that the flaw - for which MoKB released exploit code - is effective across different wireless products and versions.
"The interesting thing about the vulnerability is how reliable it is," Moore said. "An attacker can do anything they'd like. There's no security software you can run at all to protect you. The driver receives the (malicious) packet before any firewall does."
It's up to the vendors, such as Hewlett-Packard, Dell and Gateway, to push out fixes after Broadcom released the fixed driver to their partners, according to ZERT. Linksys, Zonet and other wireless card makers also offer devices that ship with the Broadcom driver.
"Contact your vendor," Moore suggested to end users. "Ask them when they (the repaired drivers) will be out."
He also said users should disable the radio on their wireless drivers when in public places.
Although the flaw is considered dangerous, Moore said he has not seen widespread exploit, likely because launching the attack is tedious and expensive.
Moore said that for an exploit to succeed, the attacker must run Linux, use Metasploit Framework 3.0 and have a wireless card that can conduct raw-packet injections.
"It kind of is somewhat of a hassle for people not familiar with wireless stuff," Moore said, adding that MoKB plans to release other wireless exploits soon.
A Broadcom spokesman could not be reached for comment today.
Click here to email Dan Kaplan.
Broadcom wireless drivers vulnerable to attack, says Metasploit creator
By Dan Kaplan on Nov 13, 2006 10:37PM