Henry Ptasinski to Johnny Cache (Ellch) cc Henry Ptasinski date Nov 3, 2006 8:24 PM subject bcmwl5.sys issue mailed-by broadcom.com Johnny, I was recently forwarded a copy of the info you sent to EngineerOne about the SSID buffer overflow info in the bcmwl5.sys. We were already aware of this bug in some versions of our wireless driver, and have released updated drivers to our customers, but thanks for contacting us about the problem. Please don't hesitate to contact me directly if you find any other issues with our drivers or have any questions about our wireless drivers. Would you be interested in stopping by sometime to discuss fuzzing approaches and possibly demo some of your tools? Thanks, -- Henry Ptasinski +1-408-543-3316 Broadcom Home And Wireless Networking henryp@broadcom.com from johnny cache to Henry Ptasinski date Nov 3, 2006 10:43 PM subject Re: bcmwl5.sys issue mailed-by gmail.com Hey Henry, Cool. Glad to here you guys knew about it already. This might sound like a stupid question, but could you tell me where to get a copy of the latest drivers? I went fishing around OEM sites with some luck, but I couldn't really tell what the latest version even was. Also, have you guys thought about trying to push these things out to vendors a bit more effectively? I've got a exploit for this ready to go in metasploit, but I really have no desire to drop it on lots of unpatched users if they are going to be getting a patch soon. Thanks for the invite, I appreciate the offer. I'm kinda travelled out at the minute, so unless you guys happen to be based near chicago I'll have to pass. fuzz-e is very un-intelligent/un-interesting anyway. I'm working on some new stuff, if it pans out I'll be sure to let you know. Really the most interesting tools I've developed are related to fingerprinting drivers, which clearly is more an academic interest than remote code execution. Thanks for the reply, -jc - Show quoted text - from Henry Ptasinski to johnny cache cc Henry Ptasinski date Nov 6, 2006 12:54 PM subject Re: bcmwl5.sys issue mailed-by broadcom.com Hi Johnny, I know that the MSFT Vista in-box driver has the fix, so anybody running Vista beta has the fix. I'm still trying to track down availability info for XP. Unfortunately, release schedules for our customers are up to them, and we don't necessarily even get notified by them when their release goes out. I'll dig around and let you know what I can. We're in Sunnyvale, Calif. I thought yoe might be down in Montery and it would just be a drive over the hill. I can understand the travel overload ... Thanks, Henry Henry Ptasinski henryp@broadcom.com - Show quoted text - -----Original Message----- From: johnny cache [mailto:johnycsh@gmail.com] Sent: Friday, November 03, 2006 08:43 PM Pacific Standard Time To: Henry Ptasinski Subject: Re: bcmwl5.sys issue Hey Henry, Cool. Glad to here you guys knew about it already. This might sound like a stupid question, but could you tell me where to get a copy of the latest drivers? I went fishing around OEM sites with some luck, but I couldn't really tell what the latest version even was. Also, have you guys thought about trying to push these things out to vendors a bit more effectively? I've got a exploit for this ready to go in metasploit, but I really have no desire to drop it on lots of unpatched users if they are going to be getting a patch soon. Thanks for the invite, I appreciate the offer. I'm kinda travelled out at the minute, so unless you guys happen to be based near chicago I'll have to pass. fuzz-e is very un-intelligent/un-interesting anyway. I'm working on some new stuff, if it pans out I'll be sure to let you know. Really the most interesting tools I've developed are related to fingerprinting drivers, which clearly is more an academic interest than remote code execution. Thanks for the reply, -jc from Henry Ptasinski to johnny cache cc Henry Ptasinski date Nov 6, 2006 1:12 PM subject Re: bcmwl5.sys issue mailed-by broadcom.com Linksys supposedly has a patched version available on their support site - ver 4.100.15.5. Henry Ptasinski henryp@broadcom.com From: johnny cache [mailto:johnycsh@gmail.com] Sent: Friday, November 03, 2006 08:43 PM Pacific Standard Time To: Henry Ptasinski Subject: Re: bcmwl5.sys issue Hey Henry, Cool. Glad to here you guys knew about it already. This might sound like a stupid question, but could you tell me where to get a copy of the latest drivers? I went fishing around OEM sites with some luck, but I couldn't really tell what the latest version even was. Also, have you guys thought about trying to push these things out to vendors a bit more effectively? I've got a exploit for this ready to go in metasploit, but I really have no desire to drop it on lots of unpatched users if they are going to be getting a patch soon. Thanks for the invite, I appreciate the offer. I'm kinda travelled out at the minute, so unless you guys happen to be based near chicago I'll have to pass. fuzz-e is very un-intelligent/un-interesting anyway. I'm working on some new stuff, if it pans out I'll be sure to let you know. Really the most interesting tools I've developed are related to fingerprinting drivers, which clearly is more an academic interest than remote code execution. Thanks for the reply, -jc from johnny cache to Henry Ptasinski date Nov 6, 2006 3:07 PM subject Re: bcmwl5.sys issue mailed-by gmail.com Just left monterey about a month ago. To bad, loved it there. Thanks for the info on the linksys driver, I'll give it a shot. If it's not patched correctly I'll be sure to let you know. Hehe, I demoed a simple PoC of this at bluehat. You should have seen the mood in the room shift. They rushed a vista box to me to try it on, which seemed OK. :) -jc from johnny cache to Henry Ptasinski date Nov 7, 2006 12:21 PM subject Re: bcmwl5.sys issue mailed-by gmail.com Hey Henry, I just spent some time trying to find a broadcom driver from linksys. The only one i could find was for the wmp54gv4 , but it isn't very new. (3.30.15.0). I didn't go through all of there downloads, just the ones i thought were likely.. I'd really like to have a patched driver to link to when the exploit comes out. Do you have any suggestions? -jc - Show quoted text - from Henry Ptasinski to johnny cache cc henryp@broadcom.com date Nov 8, 2006 4:36 PM subject Re: bcmwl5.sys issue mailed-by broadcom.com Johnny, Grab the one for the Linksys WPC300N cardbus adapter. I think this link will work: http://www.linksys.com/servlet/Satellite?c=L_Download_C2&childpagename=US%2FLayout&cid=1115417109934&packedargs=sku%3D1144763513196&pagename=Linksys%2FCommon%2FVisitorWrapper The same driver should work on most of our cards, but the Linksys installer may be tied to a specific card or set of cards. You may have to skip the installer and drop the bcmwl5.sys file in manually. This driver isn't WHQL signed. I guess Linksys wanted to get some of the fixes out there without waiting for the cert. When do you expect the metasploit code to be available? Henry Ptasinski henryp@broadcom.com from johnny cache to Henry Ptasinski date Nov 8, 2006 5:13 PM subject Re: bcmwl5.sys issue mailed-by gmail.com Cool Thanks. I'll bang on that later today. I was really just waiting to find a patched driver that I could like to when it comes out. I told a friend of mine at dell about it since it seemed they didnt know. I might wait for them to post the patched driver as well if they move quick enough (they usually do). If you guys would like to wait for some big push to vendors i'm open to it as long as its a shortish time frame. Thanks, -jc - Show quoted text - from johnny cache to Henry Ptasinski date Nov 8, 2006 6:57 PM subject Re: bcmwl5.sys issue mailed-by gmail.com BTW, got the driver installed and it was fixed. :) -jc from Henry Ptasinski to johnny cache cc Henry Ptasinski date Nov 10, 2006 7:04 PM subject Re: bcmwl5.sys issue mailed-by broadcom.com Thanks for checking it out. Henry Ptasinski henryp@broadcom.com from johnny cache to Henry Ptasinski date Nov 10, 2006 7:08 PM subject Re: bcmwl5.sys issue mailed-by gmail.com No worries. Just a heads up, the exploits comin out tomorrow in the MOKB. -jc - Show quoted text - from Henry Ptasinski to johnny cache cc Henry Ptasinski date Nov 10, 2006 7:36 PM subject Re: bcmwl5.sys issue mailed-by broadcom.com Thnks for the warning. Will it include exploit, or just bug info? Any chance of deferring it for a few days? Henry Ptasinski henryp@broadcom.com from johnny cache to Henry Ptasinski date Nov 10, 2006 7:53 PM subject Re: bcmwl5.sys issue mailed-by gmail.com I could be persuaded to wait. I already told the guy runnin MOKB it was okay since you guys didn't seem to be waiting for anything last time I asked. I don't mind not getting any credit since you guys knew about this before i mailed you, but if you want me to hold off on this I'm going to need a pretty compelling reason (e.g. you want to push patches out to vendors real soon now, or credit of some sort). It wouldn't be that much trouble if I hadn't already told the MOKB guy to run with it. - Show quoted text - -jc from Henry Ptasinski to johnny cache cc Henry Ptasinski date Nov 10, 2006 8:40 PM subject Re: bcmwl5.sys issue mailed-by broadcom.com Sorry about not getting back to you the first time you asked, but I was waiting for details from management. Dell and HP have been running patched drivers through their qual process, and it's just taking them a while to get through a full test cycle. Apparently, a lot of their resources have been siphoned off by Vista. Unfortunately, I havn't heard back about when they will be done and have the drivers posted. I'm hoping it's just a few days, but it's mostly out of our hands at this point. Hopefully that's compelling enough to buy us a few days. Thanks, - henry Henry Ptasinski henryp@broadcom.com from johnny cache hide details Nov 11 (2 days ago) to Henry Ptasinski date Nov 11, 2006 1:00 PM subject Re: bcmwl5.sys issue mailed-by gmail.com Hey Henry, Sorry I didn't get back to you till now. Went to bed before i got this and then my isp had routing issues this morning. Anyway, obviously it went out already. I had a friend verify the linksys driver worked his a/b/gminiPCI card and that worked as well, so most people can install it. A lot of people knew about this (I showed it at blue-hat for starters) so I thought it would be a good idea to let people know so they can install the other driver if they want to.