Security Hole in Broadcom Drivers

By Eric Griffith

November 13, 2006

Attackers can use it take over XP and Linux laptops. Broadcom released a fix to vendors, but so far only Linksys has a patch.

A "critical vulnerability" exists in the driver running wireless client chips from Broadcom of Irvine, California. The company is the number one Wi-Fi chipmaker, providing silicon for laptops from Dell, HP and Gateway, plus third party Wi-Fi network cards.

The problem is a stack-based buffer overflow that attackers could use to hijack a computer, even via a wireless connection. It's found in the driver file BCMWL5.sys, and can be exploited when run on Windows XP and probably other operating systems such as Linux and FreeBSD.

The problem was revealed this past weekend to the general public by the Month of Kernel Bugs (MoKB) project. However, it was found earlier this year by Jon Ellch, the researcher who goes by the handle Johnny Cache. He demonstrated the problem at Microsoft's Blue Hat hacker summit last month. Ellch gained notoriety this year in finding an issue with other Wi-Fi drivers that involved a lot of back and forth with Apple Computer over whether or not Mac OS X was truly vulnerable.

Broadcom was made aware of the exploit earlier this year, and has released a patch to vendors. Linksys updated its WPC300N Wireless-N card earlier this month to avoid the problem. The Zeroday Emergency Response Team (ZERT) offers third party patches for such critical vulnerabilities, but stated that in this case it's not able to do so, since a single patch won't be sufficient considering the wide range of vendors who use Broadcom chips.

Is this a bug that puts your computer in imminent danger? ZERT says your laptop with this problem unpatched is in danger near any other user in a public place, as it doesn't require you to be close to an access point or on a network at the time.

However, Wi-Fi pundit Glenn Fleishman, covering the topic at Wi-Fi Networking News, says, "While this is a serious exploit, it has to be carried out by individuals, even individuals with high-gain antennas. Because the vector doesn’t work over the Internet or over local networks, only within the range of active Wi-Fi adapters accepting probe responses within reach of a malicious user, this reduces the scope of the number of possible machines infected." Anyone who's truly nervous has to turn off the wireless and hook up to the wired until they get a patch.



Comment and Contribute
(Maximum characters: 1200). You have
characters left.