CVE-2024-20017 (CVSS 9.8): Zero-Click Exploit Discovered in Popular Wi-Fi Chipsets, PoC Published

CVE-2024-20017 exploit PoC
Image: Hyprdude

Security researcher Hyprdude has published detailed information and a proof-of-concept (PoC) exploit for a critical vulnerability identified as CVE-2024-20017. With a CVSS score of 9.8, this vulnerability poses a severe risk, potentially allowing attackers to execute remote code on vulnerable devices without the need for user interaction.

The CVE-2024-20017 vulnerability is rooted in the wappd network daemon, a critical component of the MediaTek MT7622/MT7915 SDK and RTxxxx SoftAP driver bundle. These chipsets are widely used in Wifi6 (802.11ax) devices, including popular models from Ubiquiti, Xiaomi, and Netgear. The wappd service is designed to manage wireless interfaces and access points, particularly in configurations involving Hotspot 2.0 and related technologies.

This vulnerability affects a range of MediaTek chipsets, including MT6890, MT7915, MT7916, MT7981, MT7986, and MT7622. This means a vast array of devices, from routers to smartphones, are potentially at risk. The affected software includes MediaTek SDK versions 7.4.0.1 and earlier, as well as OpenWrt 19.07 and 21.02.

The vulnerability arises from an out-of-bounds write due to improper input validation within the wlan service. Specifically, it is caused by a buffer overflow in the IAPP_RcvHandlerSSB() function. This function processes data received from network sockets, and a lack of thorough bounds checking allows an attacker to craft malicious packets that can overflow a 167-byte stack-allocated buffer, potentially overwriting critical memory regions.

The vulnerable code snippet from IAPP_RcvHandlerSSB() is shown below:

pSendSB = (RT_IAPP_SEND_SECURITY_BLOCK *) pPktBuf;

BufLen = sizeof(OID_REQ);
pSendSB->Length = NTOH_S(pSendSB->Length);
BufLen += FT_IP_ADDRESS_SIZE + IAPP_SB_INIT_VEC_SIZE + pSendSB->Length;

IAPP_CMD_BUF_ALLOCATE(pCmdBuf, pBufMsg, BufLen);
if (pBufMsg == NULL)
return;
/* End of if */

/* command to notify that a Key Req is received */
DBGPRINT(RT_DEBUG_TRACE, "iapp> IAPP_RcvHandlerSSB\n");

OidReq = (POID_REQ) pBufMsg;
OidReq->OID = (RT_SET_FT_KEY_REQ | OID_GET_SET_TOGGLE);

/* peer IP address */
IAPP_MEM_MOVE(OidReq->Buf, &PeerIP, FT_IP_ADDRESS_SIZE);

/* nonce & security block */
IAPP_MEM_MOVE(OidReq->Buf+FT_IP_ADDRESS_SIZE,
pSendSB->InitVec, IAPP_SB_INIT_VEC_SIZE);
IAPP_MEM_MOVE(OidReq->Buf+FT_IP_ADDRESS_SIZE+IAPP_SB_INIT_VEC_SIZE,
pSendSB->SB, pSendSB->Length);
// BUG: overflow occurs here
IAPP_MEM_MOVE(&kdp_info, pSendSB->SB, pSendSB->Length);

The most concerning aspect of CVE-2024-20017 is its potential to enable remote code execution (RCE). This means that an attacker could exploit this flaw to run malicious code on a vulnerable device, potentially gaining full control over it. Since no additional execution privileges or user interaction are required, this vulnerability is particularly dangerous for embedded devices, such as routers and access points, which are often overlooked in security patching processes.

MediaTek patched this flaw in March, so the first step is to ensure all your devices are running the latest firmware and software updates. If you have a vulnerable device, check with the manufacturer for available updates.

With the PoC exploit for CVE-2024-20017 now available on GitHub, organizations, and individuals using affected devices must ensure their firmware is up-to-date to prevent potential compromises.

Related Posts: