MOKB-11-11-2006

Bug details
Title: Broadcom Wireless Driver Probe Response SSID Overflow
Description: The Broadcom BCMWL5.SYS wireless device driver is vulnerable to a stack-based buffer overflow that can lead to arbitrary kernel-mode code execution. This particular vulnerability is caused by improper handling of 802.11 probe responses containing a long SSID field. The BCMWL5.SYS driver is bundled with new PCs from HP, Dell, Gateway, eMachines, and other computer manufacturers. Broadcom has released a fixed driver to their partners, which are in turn providing updates for the affected products. Linksys, Zonet, and other wireless card manufactures also provide devices that ship with this driver.

Fixed version of a Broadcom-compatible driver
Vulnerable driver version (For testing and verification purposes).
Author/Contributor: Johnny Cache <johnnycsh [at] 802.11mercenary.net> - found vulnerability, reported to Broadcom.
NA<NAgt; - MoKB release.
References:
Proof of concept or exploit: Metasploit Module: exploits/windows/driver/broadcom_wifi_ssid.rb
Debugging information:

All tests were performed with version 3.50.21.10 of the BCMWL5.SYS driver. Although this driver is for the Windows operating system, Linux and FreeBSD users of the ndiswrapper tool should determine if they are using BCMWL5.SYS and upgrade accordingly.