tag:blogger.com,1999:blog-4838136820032157985.post3527067389342978432..comments2024-03-18T03:20:01.345-07:00Comments on Project Zero: Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2)Unknownnoreply@blogger.comBlogger17125tag:blogger.com,1999:blog-4838136820032157985.post-85673193431292752802017-06-13T08:22:36.832-07:002017-06-13T08:22:36.832-07:00No. The patches for mac80211 were only needed on t...No. The patches for mac80211 were only needed on the attacker's side in order to allow mac80211 to send the crafted vendor frames used in the TDLS exploit.Gal Beniaminihttps://www.blogger.com/profile/01234036203079051373noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-54313237451832483152017-05-20T19:36:57.873-07:002017-05-20T19:36:57.873-07:00Hi! For the 'dhd_handle_swc_evt' Heap Over...Hi! For the 'dhd_handle_swc_evt' Heap Overflow, should we also need the patches you mentioned in your first part? ("Regrettably, however, mac80211 is unable to process the special vendor frames, and simply rejects them. Nonetheless, this is just a minor inconvenience - I’ve written a few patches to mac80211 which add support for these special vendor frames. After applying these patches, re-compiling and booting the kernel, we are now able to send our crafted frames.")<br /><br />If so, what patches do we need here to realize the 'dhd_handle_swc_evt' Heap Overflow? Thanks!!!Anonymoushttps://www.blogger.com/profile/11788638552514183797noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-62068493676386328672017-05-15T11:10:00.202-07:002017-05-15T11:10:00.202-07:00And yet, Google will not patch the vulnerability o...And yet, Google will not patch the vulnerability on Nexus 5 devices.Alexhttps://www.blogger.com/profile/08942079033944392260noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-67894523006465831272017-04-27T02:07:30.527-07:002017-04-27T02:07:30.527-07:00This comment has been removed by the author.Albertohttps://www.blogger.com/profile/05496850460235274704noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-49293634158383776252017-04-18T03:58:09.081-07:002017-04-18T03:58:09.081-07:00The System.map needs to correspond to the kernel f...The System.map needs to correspond to the kernel for the hammerhead on which you're running the exploit. You can also dump /proc/kallsyms and rename it to System.map. Note that there are other symbols you'll need to extract on your own (see symbols.py).Gal Beniaminihttps://www.blogger.com/profile/01234036203079051373noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-53592264509128344202017-04-17T00:01:31.103-07:002017-04-17T00:01:31.103-07:00Given the theme of this blog, it might be reasonab...Given the theme of this blog, it might be reasonable to provide an email addy to "pitch something over the transom" rather than appear as an open comment.shiftrighthttps://www.blogger.com/profile/02217642029003601805noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-66139887519097327992017-04-16T06:27:19.621-07:002017-04-16T06:27:19.621-07:00hmm... trying to understand this piece of greatnes...hmm... trying to understand this piece of greatness but my System.Map doesn't contain any of the symbols used in rdev.py and therefore crashes when trying to run the poc.tommeyhttps://www.blogger.com/profile/10702553738595088260noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-83393712074647897592017-04-16T06:25:50.370-07:002017-04-16T06:25:50.370-07:00Hmm... trying to understand this piece of greatnes...Hmm... trying to understand this piece of greatness but my System.Map doesn't contain any of the symbols used in rdev.py and therefore throws an error when trying to run the poc.tommeyhttps://www.blogger.com/profile/10702553738595088260noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-58092905027304744372017-04-15T11:49:19.384-07:002017-04-15T11:49:19.384-07:00Incredible and I mean incredible article! Reall...Incredible and I mean incredible article! Really enjoyed and did require some repeptive paragraph reading on my part.<br /><br />Lots of very intersting take aways but the overloading of ethertype was one of the most fascinating. Not to be too conspiracy minded but what an easy backdoor to leave. Would be so easy to use later and not obvious. Easy deniability.<br /><br />Anonymoushttps://www.blogger.com/profile/13888038446956988829noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-89523091854704377552017-04-12T18:13:08.455-07:002017-04-12T18:13:08.455-07:00Great fun! Like writing bootstrap code...
If I wa...Great fun! Like writing bootstrap code...<br /><br />If I was 50 years younger, this would be my hobby!Carchidihttps://www.blogger.com/profile/17400923076784987366noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-74471679031826174762017-04-12T15:04:41.185-07:002017-04-12T15:04:41.185-07:00The firmware bugs we found were only relevant to t...The firmware bugs we found were only relevant to the client-related logic, so I don't believe they apply to routers. As for the driver bugs - they were in Android's driver, so I'm pretty sure they don't apply to routers either.Gal Beniaminihttps://www.blogger.com/profile/01234036203079051373noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-35369249956134408082017-04-12T07:11:25.613-07:002017-04-12T07:11:25.613-07:00Would this also apply to the wifi routers that use...Would this also apply to the wifi routers that use the broadcom chips and drivers?Tudor Constantinhttps://www.blogger.com/profile/08876990355877669184noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-880995403103829162017-04-12T01:12:09.550-07:002017-04-12T01:12:09.550-07:00That's fun!That's fun!Giorgio Fedonhttps://www.blogger.com/profile/17285473210424014740noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-30866787348881459452017-04-12T00:33:41.906-07:002017-04-12T00:33:41.906-07:00Is brcmfmac vulnerable to the same or similar atta...Is brcmfmac vulnerable to the same or similar attack?Anonymoushttps://www.blogger.com/profile/06936585970361082335noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-58114573185816129162017-04-12T00:32:57.469-07:002017-04-12T00:32:57.469-07:00Is brcmfmac vulnerable to the same or similar expl...Is brcmfmac vulnerable to the same or similar exploit?Anonymoushttps://www.blogger.com/profile/06936585970361082335noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-62817916293121718042017-04-11T20:20:28.296-07:002017-04-11T20:20:28.296-07:00Amazing. Amazing. Mike Materahttps://www.blogger.com/profile/01908736917370615535noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-16834895999548659482017-04-11T17:57:12.651-07:002017-04-11T17:57:12.651-07:00Wow, that wasn't easy!Wow, that wasn't easy!Funbithttps://www.blogger.com/profile/17310621996920043062noreply@blogger.com