Friend
Professional
- Messages
- 2,675
- Reaction score
- 987
- Points
- 113
Buffer overflow turns your devices into convenient digital targets.
On August 30, 2024, a security researcher under the nickname @hyprdude published a detailed report on the CVE-2024-20017 vulnerability found in the wappd network daemon. This daemon is used in MediaTek's SDK and SoftAP drivers for Wi-Fi 6-enabled chipsets, and is often found in devices such as Ubiquiti, Xiaomi, and Netgear routers.
The vulnerability is a buffer overflow caused by improper processing of data coming from network packets. Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on vulnerable devices using a variety of attack methods. The report @hyprdude describe four approaches to exploiting this vulnerability.
Method 1. RIP Capture and ROP Execution
The first method of operation is based on a simple Return Pointer (RIP) capture using ROP chaining. This method is most effective on systems that do not use modern security mechanisms, such as ASLR (Address Space Randomization) and Stack Canary.
The essence of the method is to overflow the stack to the point where it is possible to overwrite the return address of the function on the stack with the address pointing to the payload. In this case, an ROP chain is used that calls the "system()" function with a pre-prepared command to execute on the device. This allows the attacker to take full control of the device. This method is the simplest, but it is already outdated due to the widespread use of protective technologies.
Method 2. Arbitrary writing through pointer corruption
The second method is based on a more complex concept and requires defense mechanisms such as ASLR, stack canaries, and RELRO partial protection. In this case, the attacker uses the Pointer Corruption stack overflow feature, which allows him to control where the data is written in memory.
Using this method, a hacker can overwrite the GOT (Global Offset Table) table, which contains the addresses of the functions used by the program. By spoofing the addresses in the GOT table, an attacker can redirect the execution of the program to his code, which allows him to execute arbitrary commands on the device. This method is more difficult to implement, but much more effective on secure systems.
Method 3. Reverting to Return Address Overwrite and Using ROP on Systems with Full RELRO Protection
The third method is even more difficult to implement because the system uses full RELRO protection, which makes it impossible to modify the GOT table. Here, the attacker uses a combination of methods: first, he achieves an arbitrary write, and then creates a complex ROP chain that allows him to bypass the protection and execute the desired command.
This ROP chain uses multiple sequential commands that manipulate registers and the stack to bypass the system's defense mechanisms. At the end of the chain, the system calls the "system()" function, passing the necessary command to it. This method is particularly difficult to implement because it requires a thorough understanding of the architecture and security of the operating system.
Method 4. Running on a real ARM64 device
The fourth method was developed specifically to exploit the vulnerability on a real device, the Netgear WAX206 router with the ARM64 architecture. This device uses all modern security methods, including ASLR, NX, full RELRO protection, and stack canaries. However, due to the peculiarities of the ARM64 architecture and code optimization methods, the attacker managed to find a way to bypass the protection. It uses JOP (Jump Oriented Programming) instead of ROP to redirect program execution.
The method used involves several steps: first, the attacker gets the ability to write data to arbitrary memory locations, then he overwrites the return address and other critical structures in memory to prepare the execution of the "system()" command. This technique clearly demonstrates how difficult it can be to exploit vulnerabilities on real devices, especially given the peculiarities of the ARM64 architecture.
Bonus. Exploiting a kernel vulnerability through IOCTL calls
At the end of the report, the author presented another interesting method that allows you to use an exploit to attack a vulnerability in the operating system kernel. Using the JOP chain, an attacker can make arbitrary calls to IOCTL, which allows them to gain access to critical kernel functions and expand control over the device. This technique is difficult to implement, but its use shows how powerful a single exploit can be if it targets different layers of the system.
Conclusion
This detailed analysis of CVE-2024-20017 highlights the importance of using multi-layered security in modern systems. The same bug can be exploited in different ways to attack, and each of these methods requires deep knowledge and creativity in exploit development.
This example illustrates very well that even a simple buffer overflow can turn into a serious security risk if an attacker has enough knowledge and resources to exploit it.
Source
On August 30, 2024, a security researcher under the nickname @hyprdude published a detailed report on the CVE-2024-20017 vulnerability found in the wappd network daemon. This daemon is used in MediaTek's SDK and SoftAP drivers for Wi-Fi 6-enabled chipsets, and is often found in devices such as Ubiquiti, Xiaomi, and Netgear routers.
The vulnerability is a buffer overflow caused by improper processing of data coming from network packets. Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on vulnerable devices using a variety of attack methods. The report @hyprdude describe four approaches to exploiting this vulnerability.
Method 1. RIP Capture and ROP Execution
The first method of operation is based on a simple Return Pointer (RIP) capture using ROP chaining. This method is most effective on systems that do not use modern security mechanisms, such as ASLR (Address Space Randomization) and Stack Canary.
The essence of the method is to overflow the stack to the point where it is possible to overwrite the return address of the function on the stack with the address pointing to the payload. In this case, an ROP chain is used that calls the "system()" function with a pre-prepared command to execute on the device. This allows the attacker to take full control of the device. This method is the simplest, but it is already outdated due to the widespread use of protective technologies.
Method 2. Arbitrary writing through pointer corruption
The second method is based on a more complex concept and requires defense mechanisms such as ASLR, stack canaries, and RELRO partial protection. In this case, the attacker uses the Pointer Corruption stack overflow feature, which allows him to control where the data is written in memory.
Using this method, a hacker can overwrite the GOT (Global Offset Table) table, which contains the addresses of the functions used by the program. By spoofing the addresses in the GOT table, an attacker can redirect the execution of the program to his code, which allows him to execute arbitrary commands on the device. This method is more difficult to implement, but much more effective on secure systems.
Method 3. Reverting to Return Address Overwrite and Using ROP on Systems with Full RELRO Protection
The third method is even more difficult to implement because the system uses full RELRO protection, which makes it impossible to modify the GOT table. Here, the attacker uses a combination of methods: first, he achieves an arbitrary write, and then creates a complex ROP chain that allows him to bypass the protection and execute the desired command.
This ROP chain uses multiple sequential commands that manipulate registers and the stack to bypass the system's defense mechanisms. At the end of the chain, the system calls the "system()" function, passing the necessary command to it. This method is particularly difficult to implement because it requires a thorough understanding of the architecture and security of the operating system.
Method 4. Running on a real ARM64 device
The fourth method was developed specifically to exploit the vulnerability on a real device, the Netgear WAX206 router with the ARM64 architecture. This device uses all modern security methods, including ASLR, NX, full RELRO protection, and stack canaries. However, due to the peculiarities of the ARM64 architecture and code optimization methods, the attacker managed to find a way to bypass the protection. It uses JOP (Jump Oriented Programming) instead of ROP to redirect program execution.
The method used involves several steps: first, the attacker gets the ability to write data to arbitrary memory locations, then he overwrites the return address and other critical structures in memory to prepare the execution of the "system()" command. This technique clearly demonstrates how difficult it can be to exploit vulnerabilities on real devices, especially given the peculiarities of the ARM64 architecture.
Bonus. Exploiting a kernel vulnerability through IOCTL calls
At the end of the report, the author presented another interesting method that allows you to use an exploit to attack a vulnerability in the operating system kernel. Using the JOP chain, an attacker can make arbitrary calls to IOCTL, which allows them to gain access to critical kernel functions and expand control over the device. This technique is difficult to implement, but its use shows how powerful a single exploit can be if it targets different layers of the system.
Conclusion
This detailed analysis of CVE-2024-20017 highlights the importance of using multi-layered security in modern systems. The same bug can be exploited in different ways to attack, and each of these methods requires deep knowledge and creativity in exploit development.
This example illustrates very well that even a simple buffer overflow can turn into a serious security risk if an attacker has enough knowledge and resources to exploit it.
Source
