Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
farmpoet Profile picture
farmpoet
@f4rmpoet
Cyberspace cowboy Infosec research

Jun 23, 2024, 9 tweets

MSFT released a patch for CVE-2024-30078 (Wi-Fi Driver RCE) on June cumulative update, however details on the advisory have been very limited.
I'm leaving some quick notes from a quick reverse engineering of the patch that hopefully will shed a little more light on the issue. 🧵

I am not an expert on wireless network protocols so feel free to correct me or add up on the provided info in the comments or through a DM.
The patch targets Dot11Translate80211ToEthernetNdisPacket() of the native wifi driver (nwifi.sys).

The patch expands on a previous check at the beginning of the function which is described in the pseudocode below:

MDL_packetSize = MDL->ByteCount;
if (MDL->ByteCount < (MAC_frame_size + 8))
return NDIS_STATUS_INVALID_PACKET;

The above check ensures the received packet size is greater than the size of the physical and link layer frames + 8.
The function seems to expect a packet with a 802.11 frame followed by a 802.2 LLC header which contains a two-octet field with the etherType.

On the specific case where etherType field is 0x8100 (VLAN-tagged frame), the patch introduces an aditional check that didn't exist on the vulnerable version:

if (Feature_1281542463() && MDL_packetSize < *(netBuffer->MAC_frame_size) + 12)
return NDIS_STATUS_INVALID_PACKET;

The expands on the previous check on 4 additional bytes which seem to accomodate for a 802.1Q header containing the VLAN identifier.
Its possible to devise a detection sig based on the etherType value since most people won't be using vlan tagging over wifi.

The information above also strongly suggests the vulnerability is reachable from an adjacent wireless device that does not need to be authenticated on the same network as the target.

This is as far as I'll go into the vulnerability in public but should provide enough pointers to follow up if you're interested in it. Also beware of PoC's online that have nothing to do with the issue at hand.
Hope you enjoy.

I need to make a correction. Upon closer inspection it seems you need to be authenticated on the same network as the victim.
I wonder if @KunlunLab are planning a talk or blogpost on this vulnerability.

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling