Yesterday published details of the vulnerability, affecting the firmware of a popular chip Wi-Fi, is used in a very wide range of devices such as laptops, smartphones, slot machines, routers and Internet of Things (IoT). Discovered Embedi researcher Denis peasants vulnerability affects ThreadX, realtime operating system (RTOS), which is used as an EEPROM for billions of devices.
In the published report described Mr Villager, an attacker can use ThreadX firmware, installed on the wireless chipset Marvell Avastar 88W8897, for the execution of malicious code without any user intervention. The researcher chose this SoC, because it is one of the most popular Wi-Fi chipsets on the market and used in the PlayStation 4 и Xbox One, Microsoft Surface laptops, Samsung hrombukah, Galaxy smartphones and even streaming devices like Valve SteamLink (of course, the list is long).
"I was able to identify some 4 Problems, associated with complete memory corruption in some parts of the firmware, - noted scholar. — One of the vulnerabilities was a special case of the block pool overflow ThreadX. This vulnerability can be triggered without user intervention - in the process of scanning for available networks ".
The researcher notes, that the firmware function to scan new Wi-Fi networks will start automatically every five minutes, making use of the vulnerability of a simple task. Everything, you need to do an attacker - is to send distorted Wi-Fi packets to any device with a chip Marvell Avastar and wait, while the function will start, execute malicious code and provides access to the device. "That's why, this error is so steep and gives the opportunity to break into the device literally without a single mouse click in any wireless connection status (even if the device is not connected to any network)», - said Denis Villager.
Besides, expert said, that singled out two more ways to use this trick, one of which is specific for ThreadX firmware implementation Marvell, and the other - the universal and can be applied to any firmware based on ThreadX, which, if you believe the ThreadX home page, used in 6,2 billion devices.
Denis Selyanina report contains the technical details of the vulnerability and use the demo video. Sam code, allowing to carry out hacking, It has not been published for obvious reasons. Patches are already in development.
