WiFi chip firmware in a variety of devices used mainly for gaming, personal computing, and communication comes with multiple issues. At least some of them could be exploited to run arbitrary code remotely without requiring user interaction.
The security flaws were discovered in ThreadX, a real-time operating system (RTOS) developed by Express Logic. The vendor claims on their website that ThreadX has over 6.2 billion deployments, being one of the most popular software powering Wi-Fi chips.
The firmware is also powering the Avastar 88W8897 SoC (Wi-Fi + Bluetooth + NFC) from Marvell, present in Sony PlayStation 4 (and its Pro variant), Microsoft Surface (+Pro) tablet and laptop, Xbox One, Samsung Chromebook and smartphones (Galaxy J1), and Valve SteamLink.
WiFi chip initialization process
A WiFi chip is typically initialized by a driver from the manufacturer that loads the firmware image during the startup routine.
With Marvell’s wireless system-on-chip (SoC), there are certain drivers that work with the Linux kernel it uses: ‘mwifiex’ (source available in the official Linux repository), ‘
mlan’ and ‘
mlinux,’ whose sources are available in the official steamlink-sdk repo.
Both features debug capabilities, allowing reading and writing from and to the WiFi module’s memory.
Controlling memory block allocation
One of the vulnerabilities discovered in the firmware is a block pool overflow that could be triggered when the chip is scanning for available networks, a process that starts every five minutes, even if the device is already connected to a WiFi network; knowledge of the WiFi name or the access password is irrelevant.
“That’s why this bug is so cool and provides an opportunity to exploit devices literally with zero-click interaction at any state of wireless connection (even when a device isn’t connected to any network). For example, one can do RCE [remote code execution] in just powered-on Samsung Chromebook,” says Denis Selianin, researcher at Embedi company specialized in the security of embedded devices.
In a report released today by the company, Selianin describes two methods of exploitation, one that works on any ThreadX-based firmware if certain conditions are met, and another typical for Marvell’s implementation of the firmware on its modules; combining the two methods leads to reliable exploitation, the researcher says.
In the generic case, an attacker can overwrite the pointer to the next free block of memory and control the location for allocating the next block.
“By controlling the location of next block allocation, an attacker can place this block to the place where some critical runtime structures or pointers are, thus achieving an attacker’s code execution,“ Selianin explains.
Exploiting the bug on Marvell’s Avastar SoC involved reverse engineering wrapper functions for memory management routines. This works if the next block is occupied.
The functions use in the beginning of each ThreadX block a metadata header with special pointers that are called before freeing a block. This information is sufficient to allow code execution on a wireless SoC.
Selianin used a custom tool to dump the WLAN chip’s firmware from a Valve Steam Link hardware device (no longer manufactured, but still supported) and checked it for potentially exploitable issues with afl-unicorn fuzzing tool. He was able to find about jfour memory corruption issues.
Stack-based buffer overflow
The researcher was able to execute code on the processor of Valve’s gadget by exploiting a security bug in the device’s application processor driver, with the help of a second escalation vulnerability. Leveraging this flaw is similar to the previous exploit.
“The only difference is that an attacker sends data from a controlled Wi-Fi SoC over SDIO bus, not over the network,“ Selianin explains, adding that because a driver acts as a bridge between the device and the operating system (OS), it should get data from a device, parse and pass it to the OS.
The code Marvell Wi-Fi driver uses for these operations should be able to process a large variety of message types composed of information elements (IEs), making for a wide attack surface
Another vulnerability the researcher found is a stack-based buffer overflow, which is dead-easy to exploit, according to Selianin, because the Linux kernel (’3.8.13-mrvl’) used by Marvell does not include mitigations for exploiting the binary.
An attacker would be able to exploit the vulnerability and run instructions in just two steps:
- Call the
v7_flush_kern_cache_louislinux kernel function.
- Execute shellcode.
A video showing full-chain exploitation of Marvell Avastar WiFi module on Valve SteamLink has been released. It demonstrates that over-the-air exploitation is possible with no user interaction:
Selianin’s motivation was that devices using this type of chip for wireless communication have not been sufficiently scrutinized by the security community.
He presented his findings (slides here) at the ZeroNights security conference held in Moscow, Russia, back in November. A video is available for our Russian-speaking readers:
Selianin said in his presentation that as soon as a fix becomes available, he would publish a write-up with the exploit and the tools used in the process.