An essential flaw in MediaTek Wi-Fi chipsets, frequently utilized in integrated platforms supporting Wi-Fi 6 (802.11ax), has been found, enabling malevolent entities to initiate remote code execution (RCE) assaults without any user involvement.
This zero-click vulnerability, identified as CVE-2024-20017, impacts a broad array of gadgets from companies like Ubiquiti, Xiaomi, and Netgear.
The flaw is located within the wappd
network daemon, a component of the MediaTek MT7622/MT7915 SDK and RTxxxx SoftAP driver bundle.
It is chiefly employed to set up and synchronize wireless interfaces and access points using Hotspot 2.0 and related technologies, as outlined by coffinsec.
The glitch results from a buffer overflow initiated by a copying operation that employs a length value extracted directly from attacker-manipulated packet data, devoid of any boundary verification, making it feasible for up to 1433 bytes of malevolent data to overrun the stack.
Researchers have devised four distinct exploits for this vulnerability, each aimed at diverse exploit mitigations and circumstances.
4 Distinct Exploits
The initial exploit showcases a traditional return instruction pointer (RIP) hijack, leveraging the stack overflow to corrupt the saved return address and divert execution towards an ROP gadget that invokes system()
for executing shell commands.
The second exploit circumvents stack canaries and ASLR by tampering with a pointer to achieve an arbitrary write privilege.
This technique is employed for overwriting the GOT (Global Offset Table) entry of read()
with the address of an ROP gadget, which subsequently transfers to system()
to implement a shell payload, as mentioned by coffinsec in their statement.
The third exploit, directed at a version equipped with full RELRO (Read-Only Relocations), uses ROP to secure an arbitrary write privilege.
It formulates chains of gadgets to inscribe an arbitrary 8-byte value to a specific address, eventually inscribing a shell command into the .bss
or .data
segments, which are easily predictable and modifiable.
This exploit subsequently transitions to a concluding ROP chain that transfers the address of the shell command into the relevant register and invokes system()
.
The fourth exploit targets the Netgear WAX206, which implements ASLR, NX, full RELRO, and stack canaries. Due to the function inlining and arm64 semantics, the exploit strategy had to be restructured.
It leverages pointer manipulation to acquire an arbitrary write privilege via the pPktBuf
pointer and later corrupts the saved return address in the stack frame for IAPP_RcvHandler()
.
This exploit is distinctive in its requirement for the process to cease and encounter the corrupted return address, rendering it less dependable yet still potent.
This vulnerability underscores the intricacy and ingenuity involved in exploit development, where different methodologies must be adopted depending on the particular conditions and mitigations prevalent in the designated environment.
Individuals using affected devices are urged to upgrade their firmware to the most recent version to alleviate this vulnerability. The unveiling of CVE-2024-20017 underlines the continual challenges in securing embedded systems and the imperative need for sustained vigilance in identifying and rectifying potential security loopholes.
The article 0-Click RCE Vulnerability in MediaTek Wi-Fi Chipsets Allows Remote Exploitation was firstly reported on Cyber Security News.