Security Hole in Broadcom Drivers
November 13, 2006
Attackers can use it take over XP and Linux laptops. Broadcom released a fix to vendors, but so far only Linksys has a patch.
A "critical vulnerability" exists in the driver running wireless client chips from Broadcom of Irvine, California. The company is the number one Wi-Fi chipmaker, providing silicon for laptops from Dell, HP and Gateway, plus third party Wi-Fi network cards.
The problem is a stack-based buffer overflow that attackers could use to hijack a computer, even via a wireless connection. It's found in the driver file BCMWL5.sys, and can be exploited when run on Windows XP and probably other operating systems such as Linux and FreeBSD.
The problem was revealed this past weekend to the general public by the Month of Kernel Bugs (MoKB) project. However, it was found earlier this year by Jon Ellch, the researcher who goes by the handle Johnny Cache. He demonstrated the problem at Microsoft's Blue Hat hacker summit last month. Ellch gained notoriety this year in finding an issue with other Wi-Fi drivers that involved a lot of back and forth with Apple Computer over whether or not Mac OS X was truly vulnerable.
Is this a bug that puts your computer in imminent danger? ZERT says your laptop with this problem unpatched is in danger near any other user in a public place, as it doesn't require you to be close to an access point or on a network at the time.
However, Wi-Fi pundit Glenn Fleishman, covering the topic at Wi-Fi Networking News, says, "While this is a serious exploit, it has to be carried out by individuals, even individuals with high-gain antennas. Because the vector doesnt work over the Internet or over local networks, only within the range of active Wi-Fi adapters accepting probe responses within reach of a malicious user, this reduces the scope of the number of possible machines infected." Anyone who's truly nervous has to turn off the wireless and hook up to the wired until they get a patch.