Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Major Vulnerabilities discovered and patched in Realtek RTL8195A Wi-Fi Module
Uriya Yavniely - VdooPosted 5 Years Ago- This WiFi chip supports several WiFi protocols, such as WEP and WPA, WPA2 and so on. Being able to compromise a device by simply having a WiFi interface is a big deal. The first two issues do not require knowledge of the PSK in order to exploit.
- One of the connection types does a
memcpywith a user controlled size and buffer. Because the buffer is static, this leads to a classic buffer overflow on the stack! Using this vulnerability, RIP can be overwritten, resulting in complete compromise of the device. - At first, I thought "what about DEP and ASLR!? You would need to get incredibly lucky to guess these!" Well, it turns out, that the WiFi chip has zero binary protections, making compromise trivial.
- Besides this major bug, there is an OOB read via sending a maliciously size in one of the packets. The data is copied from a static buffer of size 512, while the size can be anything. This could have been used to bypass ASLR even if the binary protections were in place with the original vulnerability.
- Several other buffer overflow vulnerabilities exist but they are a little more involved to do and require knowledge of the PSK. The bad design pattern for these is a user controlled buffer size being used on a static buffer. This is done both by memcpys and iterating too far in arrays.
- There is still low-hanging fruit everywhere. We just need to know where to look at! Sometimes, the setup process for harder to understand/setup attack surfaces is the best place to hit. The easier stuff to test has already been hit hard!
