Taking Over Laptops by Fuzzing Wireless Drivers

some news items showed up in the past couple of days about vulnerabilities in wireless device drivers. these vulnerabilities were apparently found by the use of a 802.11 fuzzing tool called lorcon.

from wikipedia:

lorcon (acronym for loss of radio connectivity) is an open source network tool. it is a library for injecting 802.11 frames, capable of injecting via multiple driver frameworks, without the need to change the application code.
the project is maintained by joshua wright and michael kershaw (“dragorn”).

apparently, david maynor and jon ellch intend to demonstrate taking over a laptop by the use of a wireless driver vulnerability next month at black hat usa 2006.

i personally intend to go only to defcon, but this will be cool. :)

disclaimer: my employer (and the people hosting the blogs), beyond security, are the makers of the bestorm 2nd generation fuzzing product.

gadi evron,
ge@beyondsecurity.com.

Share
  • mike

    What does lorcon do? What does it fuzz?

  • dreamwerx

    802.11

  • c_programming_guru

    Correct me if I’m wrong but lorcon is the libary used to generate 802.11 packets which allows you to fuzz vulnerable drivers which happen to run at ring0 (Kernel Mode) you will need to upload your stager payload within Kernel Mode Driver inorder to have (UserLand Payload) to execute. You need to store your payload to a region that is shared between both that is nt!KUSER_SHARED_DATA which has a copy on a page on each UserLand Process. This is interesting because you could then transfer your payload in 2 pairs 1 kernel level 2 user level (regular shellcode). Want more info on how it’s done go to uninformed.org there is a really well written article there by Johnny Cache