| Title: | Broadcom Wireless Driver Probe Response SSID Overflow |
| Description: |
The Broadcom BCMWL5.SYS wireless device driver is vulnerable to a stack-based
buffer overflow that can lead to arbitrary kernel-mode code execution. This
particular vulnerability is caused by improper handling of 802.11 probe responses
containing a long SSID field.
The BCMWL5.SYS driver is bundled with new PCs from HP, Dell, Gateway, eMachines, and other
computer manufacturers. Broadcom has released a fixed driver to their partners, which
are in turn providing updates for the affected products. Linksys, Zonet, and other
wireless card manufactures also provide devices that ship with this driver.
Fixed version of a Broadcom-compatible driver Vulnerable driver version (For testing and verification purposes). |
| Author/Contributor: |
Johnny Cache <johnnycsh [at] 802.11mercenary.net> - found vulnerability, reported to Broadcom. NA<NAgt; - MoKB release. |
| References: | |
| Proof of concept or exploit: | Metasploit Module: exploits/windows/driver/broadcom_wifi_ssid.rb |
| Debugging information: |
All tests were performed with version 3.50.21.10 of the BCMWL5.SYS driver. Although this driver is for the Windows operating system, Linux and FreeBSD users of the ndiswrapper tool should determine if they are using BCMWL5.SYS and upgrade accordingly. |