Skip to content

Zero-click flaw affects MediaTek WiFi chips in smartphones and routers

  • by
  • 3 min read

A critical zero-click vulnerability, CVE-2024-20017, impacts many devices using MediaTek WiFi chipsets. This flaw affects chipsets such as MT7622 and MT7915 and is present in routers and smartphones from popular manufacturers like Ubiquiti, Xiaomi, and Netgear.

With a CVSS score of 9.8, this vulnerability poses a serious risk, allowing remote code execution without any user interaction.

Researchers have discovered that this security flaw stems from an out-of-bounds write issue, which attackers can exploit to take control of vulnerable devices. The vulnerability lies in the ‘wappd’ service, a network daemon configuring and managing wireless interfaces on devices equipped with MediaTek chipsets.

“The vulnerability resides in wappd, a network daemon included in the MediaTek MT7622/MT7915 SDK and RTxxxx SoftAP driver bundle,” researchers explained.

The flaw occurs due to a buffer overflow in the IAPP_RcvHandlerSSB function, which processes incoming packet data. Specifically, an attacker-controlled length value is passed into the IAPP_MEM_MOVE macro without proper validation, leading to an out-of-bounds write.

This weakness allows attackers to send specially crafted packets to the device, ultimately triggering the vulnerability. By manipulating the packet’s length and structures, attackers can bypass the minimal bounds check, resulting in a buffer overflow of up to 1433 bytes.

“As the size of the destination struct is only 167 bytes, this results in a stack buffer overflow of up to 1433 bytes,” researchers note.

The public exploit leverages return-oriented programming (ROP) to achieve remote code execution. By exploiting the buffer overflow, attackers can overwrite the global address table and call system commands on the affected device.

In the observed exploit, attackers use a reverse shell technique, which allows them to control the compromised device remotely using tools like Netcat.

The reverse shell is triggered by embedding a series of commands within the payload, enabling the attacker to send a command back to the targeted device. This method effectively allows the attacker to gain full control over the device without requiring any user input, highlighting the critical nature of this zero-click vulnerability.

Researchers have urged users to ensure that they are running the most up-to-date versions of their device’s firmware, particularly if they are using devices powered by the affected MediaTek chipsets.

In the News: Over 7.24 TB of sensitive Star Health data leaked on Telegram

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>