Bug in widespread Wi-Fi chipset firmware can lead to zero-click code execution

+ Watch the recorded webinar: Inside a Docker Cryptojacking Exploit

A vulnerability in the firmware of a Wi-Fi chipset that is widely used in laptops, streaming, gaming and a variety of “smart” devices can be exploited to compromise them without user interaction.

The research and the discovered flaws

The discovery was made by Embedi researcher Denis Selianin, who decided to first analyze the code of the Marvell Avastar Wi-Fi driver code, which loads firmware to Wi-Fi SoC (system on chip), and then to engage in fuzzing the firmware.

“A device manufacturer supplies appropriate firmware images and operating system device drivers, so during startup, a driver can upload firmware enabling its main functionality to the Wi-Fi SoC,” he explained.

Marvell Avastar Wi-Fi vulnerability

He discovered several vulnerabilities in the ThreadX proprietary firmware, but according to him the most interesting one is a block pool overflow that can be triggered without user interaction as the device scans for available networks.

“This procedure is launched every 5 minutes regardless of a device being connected to some Wi-Fi network or not. That’s why this bug is so cool and provides an opportunity to exploit devices literally with zero-click interaction at any state of wireless connection (even when a device isn’t connected to any network). For example, one can do RCE in just powered-on Samsung Chromebook,” Selianin noted.

The flaw can be exploited both on the original ThreadX firmware and the Marvell Avastar Wi-Fi SoC (i.e., Marvell’s implementation of the ThreadX firmware), he found.

He then went on to demonstrate how the attacker could chain that exploit with an escalation of privilege vulnerability to execute code on the application processor of SteamLink, a desktop streaming device that sports the vulnerable Marvell Avastar Wi-Fi SoC:

What now?

This research has been presented last November at the ZeroNights conference.

At the time Selianin said he would publish all his research as soon as a fix for the vulnerabilities is made available, but he has failed to confirm in this recent blog post that the fix has already been pushed out.

The vulnerable Marvell Avastar Wi-Fi can be found in Sony PlayStation 4, Microsoft Surface computers, Xbox One, Samsung Chromebooks, certain smartphones (e.g., Galaxy J1), Valve SteamLink and other devices.

UPDATE (January 26, 2019, 2:00 AM PT):

Marvell got in touch to confirm that they deployed a fix to address this issue, which they have made available in their standard driver and firmware. They have also communicated to their direct customers to update to the latest firmware and driver to get the most recent security enhancements.

“In the presentation, detail was provided to manipulate the open-source Valve Steamlink platform to exploit a memory buffer overflow issue in the device firmware. Unlike this non-secure Valve Steamlink platform, the other systems mentioned in the presentation are all closed systems with high-level security protections in place such as DRM. As noted in the presenter’s blog, this would eliminate the ability for an individual to compromise the system security,” they explained.

Finally, they pointed out that they are not aware of any real world exploitation of this vulnerability outside of a controlled environment.