A critical 0-click remote code execution (RCE) vulnerability, designated as CVE-2024-20017, has been identified in MediaTek Wi-Fi chipsets, which are commonly integrated into devices from manufacturers like Ubiquiti, Xiaomi, and Netgear. This vulnerability allows attackers to exploit the affected systems without requiring any user interaction, significantly increasing the risk of unauthorized access and control. The flaw resides in the wappd network daemon, part of the MediaTek SDK and RTxxxx SoftAP driver, which is tasked with configuring and managing wireless interfaces.
The vulnerability is caused by a buffer overflow during a copy operation that uses a length value taken directly from attacker-controlled packet data. This oversight allows up to 1433 bytes of malicious data to overflow the stack, paving the way for potential exploitation. Researchers have successfully crafted four distinct exploits targeting different mitigation measures, showcasing the versatility of the threat. Each exploit utilizes various techniques, such as return instruction pointer (RIP) hijacking and arbitrary write primitives, to execute shell commands on the target devices.
Among the developed exploits, one demonstrates a classic RIP hijack, while another circumvents stack canaries and address space layout randomization (ASLR) by corrupting pointers. A third exploit works around full RELRO (Read-Only Relocations) and uses return-oriented programming (ROP) to manipulate memory and execute arbitrary shell commands. The fourth exploit, specifically targeting the Netgear WAX206, presents unique challenges due to enhanced security measures, necessitating an adapted approach to achieve its objectives.
Given the widespread use of MediaTek chipsets in numerous consumer and enterprise devices, users are urged to take immediate action by updating their firmware to the latest versions provided by manufacturers. This discovery serves as a stark reminder of the complexities involved in securing embedded systems and the continuous need for vigilance in identifying and addressing potential security flaws. As cyber threats evolve, proactive measures are essential to safeguard devices and sensitive information from malicious exploitation.
