Avoiding Vulnerabilities: A Cybersecurity Vigilante's Perspective
I've made a decision - no more vacations, no more conferences like TwitchCon or Defcon for me. Every time I attend these events, a major vulnerability seems to surface. Just recently, while I was on vacation in New Jersey, the Crowdstrike bug came out. And when I was at TwitchCon, chatting with John Hammond about the wonders of computers over a burrito, my buddy sent me a text about a critical exploit in the Mediatek Wi-Fi chipset.
This CVE-2024 vulnerability allows for remote code execution on any device using the software development kit (SDK) of these two chips. In this video, I want to dive into what this means, how it affects the wireless device landscape, and how you can mitigate it yourself.
If you're new here, welcome to my channel, where I talk about cybersecurity and software security. If you're interested in this kind of content, hit that subscribe button - I'd really appreciate it.
This bug is pretty interesting. Essentially, someone found a vulnerability in WAPD, which stands for Wireless Access Point Daemon. Mediatek, a company that makes the chips used in many wireless routers, provides an SDK to make the lives of router manufacturers like Netgear or Ubiquiti easier. This SDK includes pre-built code, like WAPD, for provisioning wireless access points.
Just like any code, WAPD can have vulnerabilities, and the researcher who wrote the blog post discovered a classic buffer overflow. When the code receives data from the network, it casts the packet buffer to a structure and then uses the length from that structure to perform a memcpy, effectively giving an attacker control over the memory copy.
The in-depth write-up by the researcher goes into compiling WAPD for different platforms and increasing the security of the exploit at each step, ultimately leading to a successful attack on the Netgear WAX 206, a Wi-Fi 6 wireless access point.
What makes this bug so interesting is that it exists at a level below the manufacturer's code. Typically, people place trust in brands like Netgear or Ubiquiti, but this vulnerability is present in the code provided by the system-on-a-chip (SoC) manufacturer, Mediatek. This means the bug can affect not only manufacturer-developed devices but also open-source router OSes like OpenWRT 19 and 21.
I have to give props to Netgear, though. The blog post shows that the WAX 206 router has full RELRO (Relocation Read-Only), ASLR (Address Space Layout Randomization), NX (Non-Executable), and stack canaries enabled. These are impressive security mitigations that are often lacking in the embedded world. Even with these protections in place, the researchers were still able to achieve arbitrary code execution through the buffer overflow vulnerability.
This raises an interesting question: would Rust have caught this bug? Potentially, yes. Rust's runtime copy checks would have likely turned this vulnerability into a denial-of-service condition rather than allowing an attacker to gain control of the control flow. However, Rust still wouldn't have prevented the initial buffer overflow condition, and the resulting denial-of-service could still be problematic.
Ultimately, this bug highlights the importance of understanding how computers work at a fundamental level, which is why I'm a strong advocate for learning low-level languages like C. My website, LowLevel Academy, offers courses that teach you C, assembly, and how computers work from the ground up. I believe you can't write efficient, effective code without this foundational knowledge.
In the meantime, go show some love to the researchers who discovered this vulnerability. Check out their blog post, follow them on social media, and give their GitHub some stars. And if you're interested in learning more about low-level programming and cybersecurity, head over to LowLevel Academy and check out the courses.
Thanks for watching, and I'll see you in the next video!
Part 1/7:
Avoiding Vulnerabilities: A Cybersecurity Vigilante's Perspective
I've made a decision - no more vacations, no more conferences like TwitchCon or Defcon for me. Every time I attend these events, a major vulnerability seems to surface. Just recently, while I was on vacation in New Jersey, the Crowdstrike bug came out. And when I was at TwitchCon, chatting with John Hammond about the wonders of computers over a burrito, my buddy sent me a text about a critical exploit in the Mediatek Wi-Fi chipset.
This CVE-2024 vulnerability allows for remote code execution on any device using the software development kit (SDK) of these two chips. In this video, I want to dive into what this means, how it affects the wireless device landscape, and how you can mitigate it yourself.
Part 2/7:
If you're new here, welcome to my channel, where I talk about cybersecurity and software security. If you're interested in this kind of content, hit that subscribe button - I'd really appreciate it.
This bug is pretty interesting. Essentially, someone found a vulnerability in WAPD, which stands for Wireless Access Point Daemon. Mediatek, a company that makes the chips used in many wireless routers, provides an SDK to make the lives of router manufacturers like Netgear or Ubiquiti easier. This SDK includes pre-built code, like WAPD, for provisioning wireless access points.
Part 3/7:
Just like any code, WAPD can have vulnerabilities, and the researcher who wrote the blog post discovered a classic buffer overflow. When the code receives data from the network, it casts the packet buffer to a structure and then uses the length from that structure to perform a
memcpy, effectively giving an attacker control over the memory copy.The in-depth write-up by the researcher goes into compiling WAPD for different platforms and increasing the security of the exploit at each step, ultimately leading to a successful attack on the Netgear WAX 206, a Wi-Fi 6 wireless access point.
Part 4/7:
What makes this bug so interesting is that it exists at a level below the manufacturer's code. Typically, people place trust in brands like Netgear or Ubiquiti, but this vulnerability is present in the code provided by the system-on-a-chip (SoC) manufacturer, Mediatek. This means the bug can affect not only manufacturer-developed devices but also open-source router OSes like OpenWRT 19 and 21.
Part 5/7:
I have to give props to Netgear, though. The blog post shows that the WAX 206 router has full RELRO (Relocation Read-Only), ASLR (Address Space Layout Randomization), NX (Non-Executable), and stack canaries enabled. These are impressive security mitigations that are often lacking in the embedded world. Even with these protections in place, the researchers were still able to achieve arbitrary code execution through the buffer overflow vulnerability.
Part 6/7:
This raises an interesting question: would Rust have caught this bug? Potentially, yes. Rust's runtime copy checks would have likely turned this vulnerability into a denial-of-service condition rather than allowing an attacker to gain control of the control flow. However, Rust still wouldn't have prevented the initial buffer overflow condition, and the resulting denial-of-service could still be problematic.
Ultimately, this bug highlights the importance of understanding how computers work at a fundamental level, which is why I'm a strong advocate for learning low-level languages like C. My website, LowLevel Academy, offers courses that teach you C, assembly, and how computers work from the ground up. I believe you can't write efficient, effective code without this foundational knowledge.
Part 7/7:
In the meantime, go show some love to the researchers who discovered this vulnerability. Check out their blog post, follow them on social media, and give their GitHub some stars. And if you're interested in learning more about low-level programming and cybersecurity, head over to LowLevel Academy and check out the courses.
Thanks for watching, and I'll see you in the next video!