Forgot your password?
typodupeerror
Security Wireless Networking

Code Execution Bug In Broadcom Wi-Fi Driver 157

Posted by Zonk
from the catch-that-insect dept.
2U*U2 writes to mention an EWeek article about an entry in the Month of Kernel Bugs. John Ellch has discovered a critical vulnerability in the Broadcom wireless driver: a driver used in machines from HP, Dell, Gateway, and eMachines. From the article: "[The bug] is a stack-based buffer overflow in the Broadcom BCMWL5.SYS wireless device driver that could be exploited by attackers to take complete control of a Wi-Fi-enabled laptop. The vulnerability is caused by improper handling of 802.11 probe responses containing a long SSID field and can lead to arbitrary kernel-mode code execution. The volunteer ZERT (Zero Day Emergency Response Team) warns that the flaw could be exploited wirelessly if a vulnerable machine is within range of the attacker."
This discussion has been archived. No new comments can be posted.

Code Execution Bug In Broadcom Wi-Fi Driver

Comments Filter:
  • by Channard (693317) on Sunday November 12, 2006 @07:35AM (#16812708) Journal
    I was tempted by wireless, but given I don't have a laptop, I grabbed a couple of these twenty quid each Homeplug devices which plug into a mains socket and send data around the house's main circuit. It not be as 'go anywhere' as Wireless, but in the light of this I guess it's more secure.
  • Re:NDISWrapper (Score:2, Interesting)

    by cheater512 (783349) <nick@nickstallman.net> on Sunday November 12, 2006 @08:10AM (#16812848) Homepage
    I think I've seen the driver in the list.
    Dont quote me. I dont have a Broadcom wireless.

    Anyway the flaw wouldnt affect Linux systems. Why? Different kernel.
  • Re:NDISWrapper (Score:3, Interesting)

    by Carewolf (581105) on Sunday November 12, 2006 @08:27AM (#16812922) Homepage
    There is such a driver in the most recent Linux kernels, but it still uses firmware extracted from Broadcom Windows drivers. So if the bug is in the firmware, it could even affect broadcom native linux drivers.
  • Re:So... (Score:3, Interesting)

    by masklinn (823351) <slashdot.org@maskl[ ].net ['inn' in gap]> on Sunday November 12, 2006 @09:08AM (#16813072)
    Yeah. In third party drivers for a third-party wireless adapter. He still hasn't disclosed any information on a bug in apple-supplied wireless drivers for apple-supported wireless devices, even though he was offered stuff for actually proving what he'd said (John Gruber, for example, offered to give him two brand-new fresh-out-of-the-box macbooks if he managed to hack them)
  • Re:"BCMWL5.SYS" (Score:3, Interesting)

    by Wonko the Sane (25252) * on Sunday November 12, 2006 @09:39AM (#16813186) Journal
    The bcm43xx driver included in the kernel can not function without the firmware contained within bcmwl5.sys. So there isn't any way to determine (from this particular article) if the bug affects linux or not.
  • Re:So... (Score:4, Interesting)

    by dfghjk (711126) on Sunday November 12, 2006 @09:51AM (#16813242)
    Still sensitive are you? The claim was that many platforms were vulnerable, not just macs.

    "He still hasn't disclosed any information on a bug in apple-supplied wireless drivers for apple-supported wireless devices..."

    Nor are they obligated to. Odds are that the presentation had the desired effect and there was no need to proceed further.

    "...even though he was offered stuff for actually proving what he'd said (John Gruber, for example, offered to give him two brand-new fresh-out-of-the-box macbooks if he managed to hack them)"

    No, here's the link:

    http://daringfireball.net/2006/09/open_challenge [daringfireball.net]

    Gruber challenged them to hack a macbook (not two) with many stipulations. The challenge was to be videotaped and the conditioned were not under the control of the hackers. If the challenge was not met, the hackers would have to pay for the machine. The results of the videotaping were the property of John Gruber.

    There are plenty of reasons for not accepting the challenge. They may have felt that there would be too much risk that they didn't want to accept, they may have not given a shit about John Gruber (likely), they may not have wanted to contributed to his pro-Apple site, or they may have had no interest in the lame reward offered. A macbook may be exciting to you and John Gruber but probably not to them.

    Just because additional details were not provided on demand to Apple loyalists does not mean that vulnerabilities didn't exist. IMO the test configuration was chosen because it was the easiest one to demonstrate the flaw. That doesn't mean it's the only one that contains the flaw though Apple apologists have always insisted otherwise.
  • by twitter (104583) on Sunday November 12, 2006 @01:35PM (#16814558) Homepage Journal

    Does my "reverse engineered" linux driver have this bug?

    Probably not. If it does, it will be fixed soon.

    Why is it that a bunch of people who don't get paid come up with bug-free solutions?

    It gets fixed because it's free and therefore it can be. Non free software writers put up with NDA's and code they can't share even if they wanted to. Their code is owned and so their effort and good will is likewise owned. Free software writers are free to share their tools as well as their improvements, so it's much easier to help your friends.

    By the way, there's no law against being paid to write free software. With all the tools available, free software writers can get the job done faster and for less money. That's something worth paying for and many people do. The vast majority of software jobs are in house, so GPL distribution conditions never take effect and are not an issue. It would be better to share the work with others if you can, but you don't have to and often can't under those circumstances and there is therefore no difference at all between your choice of tools besides the lower cost of the free tools.

Help me, I'm a prisoner in a Fortune cookie file!

Working...