Previous Next
by danduran on Cybersecurity 4 min read, Comments: 0 (Add Your Comment!)

Critical Zero-Click Vulnerability in MediaTek Wi-Fi Chipsets (CVE-2024-20017): What You Need to Know

Newsletter Signup
@news @videos

Hey guys, Dan here! I want to share important news regarding a critical vulnerability that affects many Wi-Fi routers and smartphones.

🤷🏻 Sorry about the sync problem in the video lol 🤷🏻

This vulnerability, CVE-2024-20017, is serious and demands immediate attention. It’s a zero-click exploit, meaning attackers can compromise your devices without you doing anything—no clicking, no downloading, nothing.

What is CVE-2024-20017?

CVE-2024-20017 is a critical zero-click vulnerability rated 9.8 on the CVSS scale, highlighting its severity. This flaw affects MediaTek Wi-Fi chipsets, particularly MT7622, MT7915, and RTxxxx chipsets, found in products from manufacturers such as Ubiquiti, Xiaomi, and Netgear.

Devices running MediaTek SDK versions 7.4.0.1 and earlier, and OpenWrt 19.07 and 21.02, are particularly vulnerable. The issue arises from an out-of-bounds write caused by a buffer overflow in the chipset code, allowing remote attackers to execute malicious code.

For more technical details, you can view the following links:

  • Official CVE page here,
  • Research blog from SonicWall here
  • An in-depth technical PoCs and exploitation methods outlined by CoffinSec here.

Four Ways to Exploit CVE-2024-20017

CoffinSec’s blog post provides detailed insights into how attackers can exploit this vulnerability in four distinct ways:

  1. RIP hijack via corrupted return address and ROP to system()
    Attackers corrupt the return address, redirecting the execution flow to use ROP (Return Oriented Programming), resulting in remote code execution.

  2. Arbitrary write via pointer corruption and GOT overwrite
    This method uses pointer corruption to overwrite critical memory addresses, such as the Global Offset Table (GOT), which stores addresses of functions used by the program.

  3. Return address corruption and arbitrary write via ROP (with full RELRO)
    Attackers can still achieve code execution even in environments with full RELRO (Read-Only Relocations) and ASLR (Address Space Layout Randomization), making this method particularly dangerous on modern systems.

  4. WAX206 return address corruption + arbitrary read/write via pointer corruption
    In this method, attackers target specific devices, such as the Netgear WAX206, bypassing defenses like stack canaries and enabling arbitrary read/write operations.

For a deep dive into how these exploits work, check out CoffinSec’s full post here. It's an excellent resource for anyone looking to understand the multiple strategies hackers can take to exploit this bug.

Why Should You Care?

Even though MediaTek patched this vulnerability earlier this year, a proof-of-concept (PoC) was only recently released, significantly increasing the risk of real-world attacks.

If your device is affected, attackers could potentially take complete control, execute remote commands, and compromise your network. Since this is a zero-click exploit, simply having an unpatched device puts you at risk.

What Should You Do?

Here are the steps you can take to protect your devices:

  1. Update Your Firmware
    If you have routers or smartphones using MediaTek Wi-Fi chipsets, the first thing you should do is check for firmware updates. MediaTek has released patches, but it’s important to ensure your device manufacturer has made them available for your specific model.

  2. Consult Your Router Manufacturer
    Manufacturers like Ubiquiti, Xiaomi, and Netgear may have their own procedures for mitigating this vulnerability. It’s important to visit their support pages or contact their customer service for details on how to update your device.

  3. Verify Your Update
    After applying the update, verify that the patch has been successfully installed. Most manufacturers provide tools or instructions to confirm the update has addressed the vulnerability.

Understanding the Vulnerability

The vulnerability exists within wappd, a network daemon in MediaTek’s SDK and driver bundles. This service handles the configuration and management of wireless interfaces, particularly for Hotspot 2.0 technologies.

The issue stems from an out-of-bounds write in the function IAPP_RcvHandlerSSB. Attackers can send specially crafted packets that exceed the 167-byte buffer limit, resulting in a buffer overflow of up to 1433 bytes. This overflow allows attackers to gain remote code execution capabilities, enabling them to fully compromise a vulnerable device.

The bug affects a wide range of chipsets and devices, and with multiple exploitation methods now public, the threat is severe.

This vulnerability is a major concern for anyone using routers or devices with MediaTek Wi-Fi chipsets. With a publicly available PoC and multiple documented exploitation methods, the likelihood of attacks is increasing.

To protect yourself, it’s crucial to update your devices immediately and consult your device manufacturer for the latest patches.

Stay secure!

Dan Duran @ GetCyber

Latest Comments
Sign in to add a comment

No comments yet. Be the first to comment!