November 13, 2006 4:21 PM PST
Broadcom flaw could allow Wi-Fi hijacks
The code exploits a security vulnerability in a driver from chipmaker Broadcom. The software is used to run wireless networking hardware in Microsoft Windows-based computers sold by Hewlett-Packard, Dell, Gateway, eMachines and others, according to advisories sent out by various security groups and companies. Potentially, millions of systems could be affected.
The vulnerability is caused by improper handling of wireless network service names, called service set identifiers, or SSIDs, according to a Symantec alert sent to DeepSight subscribers on Monday. An intruder could craft a long SSID that would trigger the vulnerability and give him complete control over the vulnerable machine, the security company said.
"This is the first of this class of vulnerability to have public exploit availability at the time that the remote kernel vulnerability was reported," Symantec said. People who own vulnerable PCs should disable the affected wireless devices until patches have been made available, it said.
The vulnerability can be exploited over a Wi-Fi network only and not over the Internet, according to the advisory issued by a group of security professionals calling themselves the Zeroday Emergency Response Team, or ZERT. That means that an attacker has to be within Wi-Fi range of the target--typically, 150 feet indoors and 300 feet outdoors.
"If you are near other users with laptops, you are at risk," according to the ZERT alert. "(Microsoft) Windows is exploitable without the existence of an access point or any interaction from the user. The card's background scan of available wireless networks triggers the flaw," the alert read. An access point is another term for a wireless network base station.
Digging out the flaw
An exploit for the vulnerability has been added to the Metasploit Framework security tool, allowing people with only moderate hacking knowledge to carry out attacks. The latest version of Metasploit, popular with both security professionals and miscreants, has the ability to probe for vulnerabilities in wireless software.
The Broadcom flaw was discovered by Jon "Johnny Cache" Ellch, a researcher who has extensively studied the security of wireless networking. Ellch was one of two security researchers who held a much-debated presentation on Wi-Fi security at the Black Hat Briefings security conference this summer.
Broadcom has released a patched driver to its hardware customers, which in turn should provide updates for their affected products, Heather Roberts, a Broadcom spokeswoman, said in an e-mailed statement. "We are in contact with our customers to help speed the deployment of drivers that fix this issue," she said.
After Black Hat, Broadcom embarked upon an audit of its Wi-Fi code, Roberts said. The company has identified and fixed several vulnerabilities and developed tools to find bugs, she said. Those tools are now part of its driver-testing procedures to prevent such security holes in the future, Roberts said.
The Broadcom flaw was made public as part of an initiative titled the "Month of Kernel Bugs," launched by a security researcher who goes by the initials "LMH." As part of the effort, details of a new bug in low-level software will be made public every day. The month started with an Apple Wi-Fi flaw.
It appears very few of Broadcom's customers so far have applied the update. Linksys, which sells products that ship with this driver, has released an updated driver, according to Symantec, which doesn't list any other vendors on its list of available patches.
Computer users can check if they have the vulnerable driver by searching for it on their system. The driver filename is: BCMWL5.SYS. As a workaround, some people suggest installing the fixed Linksys drivers for protection. TechRepublic blogger George Ou has instructions on how to do that.