Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
farmpoet Profile picture
@f4rmpoet
Jun 23 9 tweets 2 min read Read on X
MSFT released a patch for CVE-2024-30078 (Wi-Fi Driver RCE) on June cumulative update, however details on the advisory have been very limited.
I'm leaving some quick notes from a quick reverse engineering of the patch that hopefully will shed a little more light on the issue. 🧵
I am not an expert on wireless network protocols so feel free to correct me or add up on the provided info in the comments or through a DM.
The patch targets Dot11Translate80211ToEthernetNdisPacket() of the native wifi driver (nwifi.sys).
The patch expands on a previous check at the beginning of the function which is described in the pseudocode below:

MDL_packetSize = MDL->ByteCount;
if (MDL->ByteCount < (MAC_frame_size + 8))
return NDIS_STATUS_INVALID_PACKET;
The above check ensures the received packet size is greater than the size of the physical and link layer frames + 8.
The function seems to expect a packet with a 802.11 frame followed by a 802.2 LLC header which contains a two-octet field with the etherType.
On the specific case where etherType field is 0x8100 (VLAN-tagged frame), the patch introduces an aditional check that didn't exist on the vulnerable version:

if (Feature_1281542463() && MDL_packetSize < *(netBuffer->MAC_frame_size) + 12)
return NDIS_STATUS_INVALID_PACKET;
The expands on the previous check on 4 additional bytes which seem to accomodate for a 802.1Q header containing the VLAN identifier.
Its possible to devise a detection sig based on the etherType value since most people won't be using vlan tagging over wifi.
The information above also strongly suggests the vulnerability is reachable from an adjacent wireless device that does not need to be authenticated on the same network as the target.
This is as far as I'll go into the vulnerability in public but should provide enough pointers to follow up if you're interested in it. Also beware of PoC's online that have nothing to do with the issue at hand.
Hope you enjoy.
I need to make a correction. Upon closer inspection it seems you need to be authenticated on the same network as the victim.
I wonder if @KunlunLab are planning a talk or blogpost on this vulnerability.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with farmpoet

farmpoet Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @f4rmpoet

farmpoet Profile picture
Aug 22
Let's explore China’s 0-day vulnerability research capabilities.
I’ve long been intrigued by the prolific nature of Chinese teams in discovering vulnerabilities. Over the past months, I’ve gathered some data and analyzed reported vulnerabilities to gain a deeper understanding.🧵 Image
Since September 2021, the Chinese government has mandated that any Chinese researchers, businesses, or even foreign companies operating in China who discover 0-day vulnerabilities must report the details to the Chinese Ministry of Industry and Information Technology (MIIT)
The policy in question was formalized through the "Provisions on the Management of Network Product Security Vulnerabilities" issued by MIIT, which obliges entities to report vulnerabilities within within two days (48 hours) of their discovery. chinalawtranslate.com/en/product-sec…
Read 25 tweets
farmpoet Profile picture
Aug 19
It's time to take a closer look at CVE-2024-38063 (Windows TCPIP RCE).
I usually don't post partial analysis but since most available info is unreliable I'll do my best to try and shed some light.
This time I'll focus on my workflow and thought process as we go. 🧵
MSFT advisory pretty much tells us where to look.
Our target is the tcpip.sys kernel driver which got an update during last patch tuesday.
For the analysis I picked binaries for Windows 11 23H2, builds 3958 (pre-fix) and 4036 (post).
Diffing shows a single function has changed. Image
In fact, this is the best you could hope for on binary diffing.
Further inspecting the differences on Ipv6pProcessOptions() it comes down to a single change at the end.
A call to IppSendErrorList() has been replaced by IppSendError(). Couldn't get simpler than this right? 😅 Image
Read 24 tweets
farmpoet Profile picture
Jun 29
Some final notes on CVE-2024-30078 (wifi RCE) exploitability.
If you haven't already done so, I recommend you first take a look at my previous thread on the subject.
🧵

As previously noted, the native driver does not account for 4 extra bytes when the ether type is 0x8100 (Vlan tagged net).
Since the packet is rewritten on the original buffer, it will do so 4 bytes ahead of what is was supposed to because of the dot1q header that should exist.
This will not only corrupt the translated packet (which will be later discarded as invalid) but also overwrite up to 2 bytes outside the MDL buffer that holds the packet. [overflowed bytes marked in red]
But is the exploitability feasible? Image
Read 10 tweets
farmpoet Profile picture
Jan 7, 2022
Inspired by @osxreverser analysis of NSA BPF port-knocking implant, I decided to take a 2nd look at #ShadowBrokers leak of windows implants. Lo and behold, a couple of hardly mentioned kernel drivers (#DoormanGauze and #FlewAvenue) caught my attention. (1/11)
Information publicly available on these drivers is scarce and for the most part flat out wrong. Instead of going for the usual deep-dive blog post, lets try a light-speed tweeter thread analysis. In this thread we'll take a brief look at #DoormanGauze. (2/11)
So, what is #DoormanGauze... In a nutshell, its a plugin for #DanderSpritz / #ExpandingPulley implants implementing an in-kernel mailslot server, allowing for stealthy inter-process communication. This can replace the usual named pipes/windows sockets IPC. (3/11) Image
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(