[Source – phoneworld.com.pk]
A newly discovered vulnerability in MediaTek Wi-Fi chipsets, widely used in devices with Wi-Fi 6 (802.11ax) capabilities, poses a serious security risk, enabling attackers to launch remote code execution (RCE) attacks without any user interaction. Identified as CVE-2024-20017, this flaw affects devices from well-known manufacturers like Ubiquiti, Xiaomi, and Netgear, raising concerns about the security of a broad range of popular consumer electronics.
Vulnerability Details: Buffer Overflow Exploit
The vulnerability originates from the wappd network daemon found in the MediaTek Wi-Fi chipsets, specifically within the MT7622/MT7915 SDK and RTxxxx SoftAP driver bundle. This daemon plays a crucial role in managing wireless interfaces and configuring access points, particularly in devices using Hotspot 2.0 technology. However, security firm Coffinsec has revealed that this component contains a serious buffer overflow bug.
The issue arises from a copy operation that fails to check the size of incoming data, allowing attackers to overflow the stack with up to 1433 bytes of malicious data. Since the length value used in this operation is drawn directly from attacker-controlled packets, the bug enables cybercriminals to inject arbitrary code into vulnerable systems, executing malicious commands without user intervention.
Exploitation Methods
Security researchers have demonstrated four distinct ways to exploit this vulnerability, each tailored to specific conditions and exploit mitigations.
- First Exploit: The initial method relies on a return instruction pointer (RIP) hijack. By corrupting the saved return address, attackers redirect execution to a ROP (return-oriented programming) gadget that triggers system() and executes shell commands.
- Second Exploit: This approach bypasses defenses like stack canaries and Address Space Layout Randomization (ASLR) by corrupting a pointer, achieving an arbitrary write primitive. It then overwrites a Global Offset Table (GOT) entry of the read() function, redirecting the program flow to execute a shell payload.
- Third Exploit: Targeting versions with full Read-Only Relocations (RELRO), the third method chains ROP gadgets to write arbitrary data into the .bss or .data segments. This exploit ultimately runs a shell command by manipulating memory addresses and jumping to system().
- Fourth Exploit: The final method focuses on the Netgear WAX206 device, which has several security features enabled, including ASLR, NX, full RELRO, and stack canaries. In this case, pointer corruption is used to achieve an arbitrary write. The strategy involves corrupting the saved return address in the stack frame, making this method less reliable but still effective under the right conditions.
Urgent Need for Firmware Updates
The discovery of CVE-2024-20017 underscores the complexity of exploit development related to MediaTek Wi-Fi chipsets and highlights the need for constant vigilance in securing embedded systems. With different exploitation techniques required based on the target’s security mitigations, attackers continue to find creative ways to bypass protections and gain control of vulnerable devices.
Manufacturers like Ubiquiti, Xiaomi, and Netgear are expected to release firmware updates addressing this critical flaw. Users are strongly advised to update their devices to the latest firmware versions to protect against potential attacks.
The CVE-2024-20017 vulnerability serves as a stark reminder of the ongoing challenges in the cybersecurity landscape, particularly for embedded systems. As technology continues to evolve, so do the tactics used by attackers, making it essential for both manufacturers and users to remain proactive in addressing potential security threats.
