"Broadpwn" Bug Affects Millions of Android and iOS Devices- Advisory [CVE-2017-9417]

Vulnerability Overview:

Broadcom BCM43xx Wi-Fi chips allow remote attackers to execute arbitrary code via unspecified vectors, aka the "Broadpwn" issue.

Details:

Broadpwn bug is actually a heap overflow on Broadcom Wi-Fi chips which is triggered, when a device receives a WME (Quality-of-Service) information element with a malformed length from a connected network. The exploitation does not require any user interaction. A victim needs to connect his/her device to attacker wi-fi signal.

Another android security researcher, Zhuowei Zhang has reversed engineered the Android July 2017 security patch just to find out more details about Broadpwn bug.

To analyse the bug in more details, Zhang compared the Nexus 6P (N2G47W) June 2017 firmware with the patched July 2017 firmware (N2G48B). He followed Project Zero’s and Nexmon guide to extract the firmware.

On further analysis, he discovered the “wlc_bss_parse_wme_” function which is called to handle association, re-association and beacon packets. The beacon packets contain information elements (IE) that contains data for extensions to the Wi-Fi standard.

This bug occurs in the association/reassociation section. It copies the received Information Element (IE) to a preallocated heap buffer that's 24 (0x18) bytes long, sized for the largest valid WME information element, but uses the length from the information element header, which can be up to 255 (0xff), creating a heap out-of-bounds write of 231 bytes.

The patched firmware verifies the length of the IE: if it's not 24 bytes, the firmware ignores the IE, fixing the bug.

Impact:

An attacker within range may be able to execute arbitrary code on the unpatched Broadcom BCM43xxfamily of Wi-Fi chipset.

Who is affected?

The bug is present in firmware of unpatched Broadcom BCM43xx family of Wi-Fi chips that is found in wide range of mobile devices - from various iPhone models since iphone 4, to HTC, LG, Nexus and the full range of Samsung flagship devices.

Recommended Solution:

Android Security Bulletin released fixed on 5th July 2017

Update to iOS 10.3.3 released on 19th July 2017

Appendix:
External Source:

https://source.android.com/security/bulletin/2017-07-01 : CONFIRM

http://www.cvedetails.com/cve/CVE-2017-9417/

http://www.securityfocus.com/bid/99482/info

System Affected/Related OS and Version:

This issue affects
m:bcm43xx_wi-fi_chipset_firmware:-

Appendix:
External Source:MISC
https://www.blackhat.com/us-17/briefings.html#broadpwn-remotely-compromi...
External Source:BID
http://www.securityfocus.com/bid/99482
External Source:CONFIRM
https://source.android.com/security/bulletin/2017-07-01

Threat Category: