A critical 0-click RCE vulnerability (CVE-2024-20017) in MediaTek Wi-Fi 6 chipsets, used by devices like Ubiquiti, Xiaomi, and Netgear, allows remote attacks without user interaction.
CVE-2024-20017
The vulnerability is located in the wappd network daemon, found in MediaTek’s MT7622/MT7915 SDK and RTxxxx SoftAP driver bundle, used for managing wireless interfaces and Hotspot 2.0 technologies.
According to CoffinSec, the flaw is a buffer overflow caused by copying attacker-controlled packet data without proper bounds checking, allowing up to 1433 bytes to overflow the stack.
Researchers developed four exploits for this bug, each targeting specific mitigations.
The first exploit uses a stack overflow to hijack the return instruction pointer (RIP) and redirect execution to a system() call, allowing shell commands.
The second exploit bypasses stack canaries and ASLR by corrupting a pointer, creating an arbitrary write. This overwrites the Global Offset Table (GOT) entry for read(), which then jumps to system() to execute a shell payload.
The third exploit, which targets a version with full RELRO, uses Return-Oriented Programming (ROP) to gain an arbitrary write ability. It chains gadgets to write a shell command into predictable, writable memory sections like .bss or .data. The exploit then executes the command by placing its address in the right register and calling system().
The fourth exploit, aimed at the Netgear WAX206 with ASLR, NX, full RELRO, and stack canaries, had to adapt its strategy due to arm64 semantics and inlined functions.
This exploit is less reliable compared to others because it requires the process to terminate and reach the corrupted return address. Despite this, it remains effective in certain conditions.
Significance of the Vulnerability
CVE-2024-20017 highlights the complexity of exploit development. Different techniques and approaches are required depending on the mitigations and conditions of the target environment.
Mitigation
Users of affected devices should update their firmware to the latest version to mitigate this vulnerability. The discovery underscores the challenges of securing embedded systems and the need for continuous vigilance.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment