A critical vulnerability in MediaTek Wi-Fi chipsets, commonly used in embedded platforms supporting Wi-Fi 6 (802.11ax), has been discovered, allowing attackers to launch remote code execution (RCE) attacks without any user interaction.
This 0-click vulnerability, CVE-2024-20017, affects a wide range of devices from manufacturers such as Ubiquiti, Xiaomi, and Netgear.
The vulnerability resides in the wappd
network daemon, a part of the MediaTek MT7622/MT7915 SDK and RTxxxx SoftAP driver bundle.
It is primarily used to configure and coordinate wireless interfaces and access points using Hotspot 2.0 and related technologies, according to coffinsec.
The bug is a buffer overflow caused by a copy operation that uses a length value taken directly from attacker-controlled packet data without bounds checking, allowing up to 1433 bytes of attacker-controlled data to overflow the stack.
Meet the CISOs, Join the Virtual Panel to Learn compliance – Join Free
Researchers have developed four different exploits for this bug, each targeting different exploit mitigations and conditions.
4 Different Exploits
The first exploit demonstrates a classic return instruction pointer (RIP) hijack, using the stack overflow to corrupt the saved return address and redirect execution to an ROP gadget that calls system()
to execute shell commands.
The second exploit bypasses stack canaries and ASLR by corrupting a pointer to achieve an arbitrary write primitive.
This is used to overwrite the GOT (Global Offset Table) entry of read()
with the address of a ROP gadget, which then jumps to system()
to execute a shell payload, coffinsec said.
The third exploit, targeting a version with full RELRO (Read-Only Relocations), uses ROP to obtain an arbitrary write primitive.
It chains gadgets to write an arbitrary 8-byte value to an arbitrary address, eventually writing a shell command into the .bss
or .data
segments, which are predictable and writeable.
This exploit then jumps to a final ROP chain that places the address of the shell command into the appropriate register and calls system()
.
The fourth exploit targets the Netgear WAX206, which has ASLR, NX, full RELRO, and stack canaries enabled. Due to the inlining of functions and arm64 semantics, the exploit strategy had to be adapted.
It uses pointer corruption to achieve an arbitrary write primitive via the pPktBuf
pointer and then corrupts the saved return address in the stack frame for IAPP_RcvHandler()
.
This exploit is unique in that it requires the process to terminate and hit the corrupted return address, making it less reliable but still effective.
This vulnerability highlights the complexity and creativity involved in exploit development, where different approaches must be taken based on the specific conditions and mitigations present in the target environment.
Users of affected devices are advised to update their firmware to the latest version to mitigate this vulnerability. The discovery of CVE-2024-20017 serves as a reminder of the ongoing challenges in securing embedded systems and the need for continuous vigilance in identifying and addressing potential security flaws.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial