Inspecting CVE-2016-0801 , Broadcom WiFi Driver RCE Crticial Bug

1. Hacking with
style

2. ‘94
‘97
‘03 ‘14
‘16‘12
Who am I ?

3. Is it ?!

4. 11 days later..

5. White White
Local
Root
Remote
Root
Remote
Root
Which Root ?
{XDA} {Finch} {Zerodium}

6. Howto Root ?
Finch Style 
• Qualcomm CVE-2015-0570
• Broadcom CVE-2016-0801 *
• MediaTek CVE-2016-2453
Needed 
• Find the execution path
• Prepare PoC

7. CVE-2016-0801
Execution Path
• char devname[100];
• wl_validate_wps_ie()
• wl_cfg80211_add_set_beacon()
• struct wl_cfg80211_ops = {
• .set_beacon = wl_cfg80211_add_set_beacon
• .add_beacon = wl_cfg80211_add_set_beacon

8. PoC 
• Probe Respone Packet
CVE-2016-0801

9. PoC 
• Probe Respone Packet
CVE-2016-0801

10. CVE-2016-0801
Result 
• Nexus 5 , Samsung S5, Note5, … ???
• DO NOT forget to check IF-ELSE blocks!
• wl_cfg80211.c line #7728
#if (LINUX_VERSION_CODE < KERNEL_VERSION(3, 4, 0))
.set_beacon = wl_cfg80211_add_set_beacon,
.add_beacon = wl_cfg80211_add_set_beacon,
#else
.change_beacon = wl_cfg80211_change_beacon,
.start_ap = wl_cfg80211_start_ap,
.stop_ap = wl_cfg80211_stop_ap,
#endif

11. drivers/net/wireless/bcmdhd/wl_cfg80211.c 
• wl_cfg80211_change_beacon()
CVE-2016-0801

12. Others
Qualcomm Adreno GPU MSM Driver Heap Overflow 
• No CVE assigned
• (mis)security  t = min_t(int, group->reg_count, count);
• buf = kmalloc(t * sizeof(unsigned int), GFP_KERNEL);
• Bug added June 2014  Bug patched July 2015 (!)
• Samsung S5 Avea inTouch

13. Others
Qualcomm MSM Debugfs Arbitrary Write
• CVE-2016-2443
• /sys/kernel/debug/mddi/reg -rw-r--r-- root root
• Root ≠ Root
• SELinux context

14. Nopcon Specials
• Ebook about KASLR (Turkish)
• WPS Probe Response Packet Generator (Github)
(CVE-2016-0801 - PoC)
• Links? Follow @abd_sec

15. Thanks !
---------
Questions ?
@abd_sec
@kyabd