the wifi chip vulnerability fixed by ios 10.3.1 affects millions of android phones

Posted by santillano at 2020-03-02

Apple launched an emergency patch to fix a "arbitrary code execution on WiFi chip" vulnerability in IOS system, vulnerability number cve-2017-6975. However, the latest news shows that not only the iPhone, but also millions of smart phones and devices using Broadcom WiFi chips, including Android devices of many brands, may be hijacked through wireless, and there is no need to interact with users in the hijacking process.

Among several high-risk vulnerabilities fixed by IOS 10.3.1 released by apple in an emergency yesterday, one is particularly noticeable. An attacker in the same WiFi network can use this vulnerability to remotely execute malicious code on the Broadcom WiFi chip (SOC) used by the device.

The flaw was discovered by gal beniamini, an employee of Google project zero, who posted a long blog to disclose research details. In this paper, he describes the vulnerability as a stack buffer overflow problem. Beniamini claims that the vulnerability not only affects Apple devices, but also all devices using Broadcom WiFi chips.

Beniamini said that this problem exists in the firmware code of Broadcom, which can lead to a remote code execution vulnerability, allowing attackers within the WiFi range of the device to send and execute code to the target device. More aggressive attackers can also deploy malicious code, fully control the victim's devices, and install malicious programs such as bank Trojans, extortion software, and malicious advertising without the victim's knowledge.

Next, beniamini will post a blog to explain how the attacker can further access the application processor and control the operating system beyond his authority after controlling the WiFi chip.

Wireless Broadcom WiFi SOC intrusion

According to beniamini, firmware running on the Broadcom WiFi chip can be spoofed, resulting in a stack buffer overflow. Beniamini sent the modified WiFi frame with abnormal value to the WiFi control device, thus triggering the firmware stack overflow.

Beniamini then combined the above abnormal values with the frequent timer settings in the chip, gradually covering the ram of the device until the malicious code was executed.

Therefore, the condition for exploiting this vulnerability is that the attacker must be within the WiFi coverage of the target device.

Beniamini believes that although it is quite complex to realize this utilization on WiFi chip, it is still a problem in terms of security, especially because this problem cannot be solved by relying on basic vulnerability utilization mitigation methods, including heap cookies, security disconnection, access permission protection, etc.

Beniamini also provided POC in his blog, and implemented the attack process on a nexus 6p (now fixed) running Android 7.1.1 nuf26k.

In addition, beniamini also found several other vulnerabilities in firmware version of Broadcom WiFi chip.

Nexus and IOS have released patches, other models need to wait

The Google Project Zero team reported this issue to Broadcom in December last year. Because the vulnerability is in the code of Broadcom, smart phone manufacturers can only wait for Broadcom to release the patch before testing the patch and sending it to users.

Google and Apple released security updates Monday to fix the vulnerability. Google released the update via Android security announcement in April 2017, while Apple released IOS 10.3.1.

For more technical details, please read the Google Project Zero team blog.