Discovered and reported a vulnerability in wappd
, a network daemon that is a part of the MediaTek MT7622/MT7915 SDK and RTxxxx SoftAP driver bundle. This chipset is commonly used on embedded platforms that support Wifi6 (802.11ax) including Ubiquiti, Xiaomi, and Netgear devices. As is the case for a handful of other bugs I’ve found, I originally came across this code while looking for bugs on an embedded device: the Netgear WAX206 wireless router. The wappd
service is primarily used to configure and coordinate the operations of wireless interfaces and access points using Hotspot 2.0 and related technologies. The structure of the application is a bit complex but it’s essentially composed of this network service, a set of local services which interact with the wireless interfaces on the device, and communication channels between the various components, using Unix domain sockets.
- Affected chipsets: MT6890, MT7915, MT7916, MT7981, MT7986, MT7622
- Affected software: SDK version 7.4.0.1 and before (for MT7915) / SDK version 7.6.7.0 and before (for MT7916, MT7981 and MT7986) / OpenWrt 19.07, 21.02
The vulnerability is a buffer overflow caused by a copy operation that uses a length value taken directly from attacker-controlled packet data without bounds checking. Overall it’s a pretty simple bug to understand as it’s just a run-of-the-mill stack buffer overflow, so I thought I’d use this bug as a case study to explore multiple exploit strategies that can be taken using for this one bug, applying different exploit mitigations and conditions along the way. I think this is interesting as it provides an opportunity to focus on the more creative parts of exploit development: once you know there’s a bug, and you understand the constraints, coming up with all of the different ways you can influence the logic of the application and the effects of the bug to get code execution and pop a shell.
What do you think?
It is nice to know your opinion. Leave a comment.