Details of a vulnerability in the firmware of a popular WiFi chipset deployed on a wide range of devices such as laptops, smartphones, gaming devices, routers and IoT devices have been published today. The vulnerability has been discovered by Embedi researcher Denis Selianin and affects ThreadX, a real- time operating system( RTOS), which is used for billions of devices. Selianin described in a report published today how someone could use the ThreadX firmware installed on a Marvell Avastar 88W8897 wireless chipset to execute malicious code without any user interaction. This WiFi SoC( system- on- a- chip) was chosen by the researcher because it is one of the most popular WiFi chipsets on the market with devices like Sony PlayStation 4, Xbox One, Microsoft Surface laptops, Samsung Chromebooks, Samsung Galaxy J1 smartphones and Valve SteamLink cast devices, to name a few. “I was able to identify ~4 total memory corruption problems in some parts of the firmware,” Selianin said. “A special case of ThreadX block pool overflow was one of the vulnerabilities discovered. This vulnerability can be triggered without user interaction when scanning available networks.” The researcher says that the firmware function for scanning new WiFi networks automatically starts every five minutes and trivializes exploitation. All an attacker needs to do is to send malformed WiFi packets to any device with a Marvell Avastar WiFi chipset and wait until the function starts, malicious code is executed and the device is taken over.
“This is why this bug is so cool and literally allows you to use devices with zero- click interactions in any wireless connection state( even if a device is not connected to a network),” Selianin says. In addition, the researcher says that he has also identified two methods of using this technique, one that is specific to Marvell ‘s own ThreadX firmware implementation and one that is generic and can be applied to any ThreadX- based firmware that could affect up to 6.2 billion ThreadX homepage devices. The Selianin report contains technical details on vulnerability exploitation and a demo video( included below). For obvious reasons, the proof- of- concept code has not been released. Patches are in the works.