How likely is it that wireless driver exploits will be seen in the wild? Those in security research circles have been aware of wireless driver vulnerabilities for some time; however the issue hasn't received much attention in the wider IT community until the most recent BlackHat Briefings held earlier this summer. Still, attacks against such vulnerabilities haven't been as widespread as they could be. Mostly this is because exploits against them have not been incorporated into easy-to-use tools.
This is beginning to change with the latest version of the Metasploit framework, a modular environment for developing and running exploits.
The framework currently contains many exploits for network services and client applications, however until now it has lacked kernel level exploits. One reason for this, particular to network device drivers, is that it's difficult to keep the driver operable after injecting an exploit payload into kernel memory. If the in-memory copy of the driver is corrupted, then you lose remote access to the system. However, with skill it's possible to craft a payload that exploits a vulnerable driver, but still leaves it in a functional state.
With the release of version 3.0 the framework has added support for such low-level exploits. This allows framework users to gain access to systems that may not be running any exploitable services, but do have vulnerable kernels. Through this they can infiltrate and gain control of the system.
The first of the kernel-level exploits to be added to Metasploit is one for the driver to Apple's older Orinoco chipset based Airport cards , which was recently discovered by Metasploit founder HD Moore. Essentially the vulnerability stems from a bug in the code that parses the variable length data fields contained in 802.11 probe responses. Through the use of specially crafted probe responses it's possible to execute code on an affected system that is searching for wireless networks. This is especially bad because it does not require the target system to even be associated with a network for it to be exploited.
Plans to add other wireless driver exploits to Metasploit are in the works. This combined with Metasploit's ease of use means it's almost certain that the number of attacks on wireless drivers seen in the wild will increase dramatically.
Andrew Lockhart is lead security analyst at Network Chemistry, security book author, and author of Snort-Wireless, an open source project adding wireless intrusion detection to Snort. He is also an editorial board member of the WVE. This article appeared in Network World.