DeepSec 2007: Fuzzing and Exploiting Wireless Drivers

[Nytro]

[h=1]DeepSec 2007: Fuzzing and Exploiting Wireless Drivers[/h]Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube.

Speaker: Sylvester Keil | Clemens Kolbitsch, Vienna University of Technology, Sec Consult

This paper documents the process of identifying potential vulnerabilities in IEEE 802.11 device drivers through fuzzing. The relative complexity of 802.11 as compared to other layer two protocols imposes a number of non-trivial requirements on regular 802.11 protocol fuzzers. This paper describes a new approach to fuzzing 802.11 device drivers on the basis of emulation. First, the process of creating a virtual 802.11 device for the processor emulator QEMU is described. Then, the development of a stateful 802.11 fuzzer based on the virtual device is discussed. Finally, we report the results of fuzzing the Atheros Windows XP driver, as well as the official and open source MADWifi drivers. Furthermore, to document the process of exploiting 802.11 wireless device driver vulnerabilities, the issues of executing arbitrary code in kernel-mode on Linux and Windows systems will be addressed as well. We will present an Metasploit exploit implementation similar to the stager-approach taken in Metasploit's Windows kernel-mode exploits.

For more information visit: Speakers - DeepSec IDSC 2007 Europe - Vienna, November 20-23, 2007

To download the video visit: DeepSec 2007 on Vimeo