Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2) (Project Zero)

Post Syndicated from corbet original https://lwn.net/Articles/719774/rss

Here’s the
second part
in the detailed Google Project Zero series on using the Broadcom
WiFi stack to compromise the host system. “In this post, we’ll
explore two distinct avenues for attacking the host operating system. In
the first part, we’ll discover and exploit vulnerabilities in the
communication protocols between the Wi-Fi firmware and the host, resulting
in code execution within the kernel. Along the way, we’ll also observe a
curious vulnerability which persisted until quite recently, using which
attackers were able to directly attack the internal communication protocols
without having to exploit the Wi-Fi SoC in the first place! In the second
part, we’ll explore hardware design choices allowing the Wi-Fi SoC in its
current configuration to fully control the host without requiring a
vulnerability in the first place.