Details of VAR-E-201709-0259

ID

VAR-E-201709-0259

CVE

cve_id:	CVE-2017-11120	Trust: 1.8
cve_id:	CVE-2017-11121	Trust: 0.3

sources: BID: 100984 // PACKETSTORM: 144328 // EXPLOIT-DB: 42784

EDB ID

42784

TITLE

Apple iOS 10.2 - Broadcom Out-of-Bounds Write when Handling 802.11k Neighbor Report Response - iOS remote Exploit

Trust: 0.6

sources: EXPLOIT-DB: 42784

DESCRIPTION

Apple iOS 10.2 - Broadcom Out-of-Bounds Write when Handling 802.11k Neighbor Report Response. CVE-2017-11120 . remote exploit for iOS platform

Trust: 0.6

sources: EXPLOIT-DB: 42784

AFFECTED PRODUCTS

vendor:	apple	model:	ios	scope:	eq	version:	10.2	Trust: 1.9
vendor:	broadcom	model:	802.11k	scope:	-	version:	-	Trust: 0.5
vendor:	samsung	model:	galaxy s7 edge	scope:	eq	version:	0	Trust: 0.3
vendor:	google	model:	android	scope:	eq	version:	0	Trust: 0.3
vendor:	broadcom	model:	bcm4355c0 soc	scope:	eq	version:	9.44.78.27.0.1.56	Trust: 0.3
vendor:	apple	model:	tvos	scope:	eq	version:	10.1.1	Trust: 0.3
vendor:	apple	model:	tvos	scope:	eq	version:	10.0.1	Trust: 0.3
vendor:	apple	model:	tvos	scope:	eq	version:	9.2.2	Trust: 0.3
vendor:	apple	model:	tvos	scope:	eq	version:	9.2.1	Trust: 0.3
vendor:	apple	model:	tvos	scope:	eq	version:	9.1.1	Trust: 0.3
vendor:	apple	model:	tvos	scope:	eq	version:	9.2	Trust: 0.3
vendor:	apple	model:	tvos	scope:	eq	version:	9.1	Trust: 0.3
vendor:	apple	model:	tvos	scope:	eq	version:	9.0	Trust: 0.3
vendor:	apple	model:	tvos	scope:	eq	version:	10.2.2	Trust: 0.3
vendor:	apple	model:	tvos	scope:	eq	version:	10.2.1	Trust: 0.3
vendor:	apple	model:	tvos	scope:	eq	version:	10.2	Trust: 0.3
vendor:	apple	model:	tvos	scope:	eq	version:	10.1	Trust: 0.3
vendor:	apple	model:	tvos	scope:	eq	version:	10	Trust: 0.3
vendor:	apple	model:	tv	scope:	eq	version:	0	Trust: 0.3
vendor:	apple	model:	ipod touch	scope:	eq	version:	0	Trust: 0.3
vendor:	apple	model:	iphone	scope:	eq	version:	0	Trust: 0.3
vendor:	apple	model:	ipad air	scope:	eq	version:	0	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	50	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	40	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	30	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	10.2.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	10.0.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9.3.4	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9.3.3	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9.3.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9.3.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9.2.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9.0.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9.0.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	8.4.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	7.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	7.0.6	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	7.0.5	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	7.0.3	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	7.0.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	7.0.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	6.3.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	6.1.6	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	6.1.4	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	6.1.3	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.0.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.0.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	3.2.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	3.2.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9.3.5	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9.3	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	9	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	8.4	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	8.3	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	8.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	8.1.3	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	8.1.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	8.1.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	8.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	8	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	7.1.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	7.1.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	7.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	7.0.4	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	7	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	6.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	6.0.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	6.0.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	6	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	5.1.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	5.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	5.0.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	5	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.3.5	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.3.4	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.3.3	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.3.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.3.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.3	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.9	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.8	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.7	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.6	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.5	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2.10	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	4	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	3.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	3.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	3.0	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	2.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	2.0	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	10.3.3	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	10.3.2	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	10.3.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	10.3	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	10.1	Trust: 0.3
vendor:	apple	model:	ios	scope:	eq	version:	10	Trust: 0.3
vendor:	apple	model:	tvos	scope:	ne	version:	11	Trust: 0.3
vendor:	apple	model:	ios	scope:	ne	version:	11	Trust: 0.3

sources: BID: 100984 // PACKETSTORM: 144328 // EXPLOIT-DB: 42784 // EDBNET: 97078

EXPLOIT

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1289

The exploit gains code execution on the Wi-Fi firmware on the iPhone 7.

The exploit has been tested against the Wi-Fi firmware as present on iOS 10.2 (14C92), but should work on all versions of iOS up to 10.3.3 (included). However, some symbols might need to be adjusted for different versions of iOS, see "exploit/symbols.py" for more information.

Upon successful execution of the exploit, a backdoor is inserted into the firmware, allowing remote read/write commands to be issued to the firmware via crafted action frames (thus allowing easy remote control over the Wi-Fi chip).

The attached archive contains the following directories:
-hostapd-2.6 - A modified version of hostapd utilised in the exploit. This version of hostapd is configured to
support 802.11k RRM, and in particular Neighbor Reports. Moreover, this version of hostapd is
instrumented to add various commands, allowing injection and reception of crafted action frames
used throughout the exploit.
-exploit - The exploit itself.

To run the exploit, you must execute the following steps:
-Connect (and enable) a SoftMAC Wi-Fi dongle to your machine (such as the TL-WN722N)
-Compile the provided version of hostapd
-Modify the "interface" setting under "hostapd-2.6/hostapd/hostapd.conf" to match your interface's name
-Configure the following settings under "exploit/conf.py":
-HOSTAPD_DIR - The directory of the hostapd binary compiled above
-TARGET_MAC - The MAC address of the device being exploited
-AP_MAC - The MAC address of your wireless dongle
-INTERFACE - The name of the wireless dongle's interface
-Assemble the backdoor shellcode by running "exploit/assemble_backdoor.sh"
-Run hostapd with the configuration file provided above, broadcasting a Wi-Fi network ("test80211k")
-Connect the target device to the network
-Run "exploit/attack.py"

Following the steps above should result in installation of a simple backdoor allowing read/write access to the firmware. You can interact with the backdoor to gain R/W access to the firmware by calling the "read_dword" and "write_dword" functions, respectively.

Proof of Concept:

https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42784.zip

Trust: 1.0

sources: EXPLOIT-DB: 42784

EXPLOIT LANGUAGE

txt

Trust: 0.6

sources: EXPLOIT-DB: 42784

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 42784

TYPE

Broadcom Out-of-Bounds Write when Handling 802.11k Neighbor Report Response

Trust: 1.6

sources: EXPLOIT-DB: 42784 // EDBNET: 97078

CREDITS

Google Security Research

Trust: 0.6

sources: EXPLOIT-DB: 42784

EXTERNAL IDS

db:	NVD	id:	CVE-2017-11120	Trust: 1.8
db:	EXPLOIT-DB	id:	42784	Trust: 1.6
db:	EDBNET	id:	97078	Trust: 0.6
db:	PACKETSTORM	id:	144328	Trust: 0.5
db:	NVD	id:	CVE-2017-11121	Trust: 0.3
db:	BID	id:	100984	Trust: 0.3

sources: BID: 100984 // PACKETSTORM: 144328 // EXPLOIT-DB: 42784 // EDBNET: 97078

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2017-11120	Trust: 1.5
url:	https://bugs.chromium.org/p/project-zero/issues/detail?id=1289	Trust: 1.3
url:	https://www.exploit-db.com/exploits/42784/	Trust: 0.6
url:	https://www.apple.com/	Trust: 0.3
url:	http://www.apple.com/accessibility/tvos/	Trust: 0.3
url:	http://www.apple.com/ios/	Trust: 0.3
url:	https://source.android.com/security/bulletin/2017-09-01	Trust: 0.3
url:	https://lists.apple.com/archives/security-announce/2017/sep/msg00007.html	Trust: 0.3
url:	https://lists.apple.com/archives/security-announce/2017/sep/msg00009.html	Trust: 0.3
url:	https://bugs.chromium.org/p/project-zero/issues/detail?id=1291	Trust: 0.3

sources: BID: 100984 // PACKETSTORM: 144328 // EXPLOIT-DB: 42784 // EDBNET: 97078

SOURCES

db:	BID	id:	100984
db:	PACKETSTORM	id:	144328
db:	EXPLOIT-DB	id:	42784
db:	EDBNET	id:	97078

LAST UPDATE DATE

2022-07-27T09:51:39.390000+00:00

SOURCES UPDATE DATE

db:

BID

id:

100984

date:

2017-09-27T08:00:00

SOURCES RELEASE DATE

db:	BID	id:	100984	date:	2017-09-25T00:00:00
db:	PACKETSTORM	id:	144328	date:	2017-09-26T00:05:58
db:	EXPLOIT-DB	id:	42784	date:	2017-09-25T00:00:00
db:	EDBNET	id:	97078	date:	2018-03-11T00:00:00

ID

CVE

EDB ID

TITLE

DESCRIPTION

AFFECTED PRODUCTS

EXPLOIT

EXPLOIT LANGUAGE

PRICE

TYPE

TAGS

CREDITS

EXTERNAL IDS

REFERENCES

SOURCES

LAST UPDATE DATE

SOURCES UPDATE DATE

SOURCES RELEASE DATE