Google on Tuesday disclosed details and a proof-of-concept exploit for a Wi-Fi firmware vulnerability in Broadcom chipsets patched this week in iOS 11. The attack enables code execution and persistent presence on a compromised device.
“The exploit gains code execution on the Wi-Fi firmware on the iPhone 7,” said Google Project Zero researcher Gal Beniamini, whose comments were part of a bug report made public Tuesday. “Upon successful execution of the exploit, a backdoor is inserted into the firmware, allowing remote read/write commands to be issued to the firmware via crafted action frames (thus allowing easy remote control over the Wi-Fi chip),” Beniamini said.
Beniamini said his exploit has been tested against the firmware packaged with iOS 10.2 and that it should work on versions up to and including 10.3.3. BCM4355C0 System on Chip with firmware version 126.96.36.199.0.1.56 is affected.
Apple said the bug, CVE-2017-11120, was a memory corruption issue and addressed it in the security update accompanying the release of iOS 11.
The vulnerability lives in Broadcom chips used by Apple in the iPhone and other products, including tvOS used in Apple TV and watchOS used in the Apple Watch. Android also makes use of the same chips, and Google patched the bug in the September Android Security Bulletin.
Beniamini’s original bug report, dated June 12, says the chips are also in Wi-Fi routers and their function is to manage Wi-Fi connections “without delegating to the host OS.” The report explains how an attacker can take advantage of a lack of validation around a particular field and overrun it with a large value.
“While the maximal allowed channel number is 0xE0, by providing a larger value (such as 0xFF), the function above will increment a 16-bit word beyond the bounds of the heap-allocated buffer, thereby performing an OOB write,” Beniamini wrote, adding that the code path exists on several firmware versions including versions present on the iPhone 7 and Samsung Galaxy S7 Edge.
This vulnerability harkens back to Broadpwn, which was disclosed and patched by Google and Apple this summer and explained during a Black Hat talk by researcher Nitay Artenstein of Exodus Intelligence.
Similarly, Broadpwn allows for remote compromise of devices without user interaction, a rarity as Artenstein called it in a report published in late July. He described Broadpwn as a fully remote attack against the BCM43xx Wi-Fi chipsets from Broadcom, and that an attacker could gain code execution on the main application processor in Android and iOS.
Artenstein also explained that the Broadcom chips on mobile devices lack ASLR memory protections, and that the RAM has permissions that allow for read, write and running code anywhere in memory. At the time, he also said there was no integrity check on the firmware, making it easier for an attacker to patch, or replace, the firmware with a malicious version.