Critical WiFi Bug Found on Linux

France Telecom researcher demo'd device driver bug in MadWiFi Linux kernel

Dark Reading logo in a gray background | Dark Reading

A researcher from France Telecom has discovered the first remotely exploitable 802.11 WiFi bug on a Linux machine. The kernel stack-overflow bug, which is in the open-source MadWiFi Linux kernel device driver, lets an attacker run malicious code remotely on an infected machine -- and the infected machine doesn't even have to be on a WiFi network to get "owned."

Laurent Butti, senior security expert for France Telecom's Orange R&D, says all it takes is the client machine's NIC to be activated and perform its automated scanning feature for WiFi access points in range, and the vulnerability is triggered. The attacker initially must be in wireless range of the victim for the code to execute the exploit, he says.

Butti, who also found three Windows WiFi bugs with his homegrown 802.11 fuzzing tool -- two of which (Netgear) made the Month of Kernel Bugs last year and allow denial-of-service attacks -- admits that a Linux bug doesn't mean much to the mostly Windows and Mac mainstream WiFi laptop user. But, he says, the Atheros chipset itself is widely used. (See Month of Kernel Bugs Ends in Controversy and Kernel Bugs Come Marchin' In.)

The researcher presented his findings at Black Hat Europe in Amsterdam last month, but he had already released his proof-of-concept exploit last December after going through a "responsible disclosure" process with MadWiFi's development team, he says. "We contacted them and waited for them to patch the issue" first, he says, which they did.

Butti's work follows in the footsteps of WiFi device driver vulnerability research done by Jon Ellch (a.k.a. Johnny Cache) and David Maynor, CTO of Errata Security, who showed how device drivers were a hacker's dream come true at Black Hat USA last summer. (See Device Drivers at Risk.)

And these bugs have implications for the OS kernel. "The vulnerabilities are driver code. But as driver code operates in [the operating system's] kernel-land, any exploitable security bug will compromise the kernel" as well, Butti says.

With 802.11 standards becoming more complex and requiring extensions and more code in APs and drivers, there will be more bugs to come, he says.

Although his homegrown fuzzer has some advanced features, Butti says most vulnerabilities can be found with a basic wireless fuzzer, which shows how easy it is to find device-driver bugs today. "I gave some fuzzing scripts in my [Black Hat] presentation that should find about 80 percent of known wireless driver bugs."

Meanwhile, Butti is working on building an 802.11 fuzzer that expands beyond his recent research on client-side vulnerabilities to the access point side as well. "I am trying to develop a fully featured 802.11 fuzzer for both client and access point side."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights