cbcvebase.
CVE-2017-0561
published 2017-04-07

CVE-2017-0561: A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary code within the context of the Wi-Fi…

PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
30.03%
98.0th percentile
A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary code within the context of the Wi-Fi SoC. This issue is rated as Critical due to the possibility of remote code execution in the context of the Wi-Fi SoC. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34199105. References: B-RB#110814.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianfirmware-nonfree< firmware-nonfree 20180518-1 (bookworm)firmware-nonfree 20180518-1 (bookworm)
googleandroid
google_incandroid
google_incandroid
linuxlinux_kernel
linuxlinux_kernel

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41805.zip
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41806.zip
filenameTDLSExploit-1.tar.gz
filenameTDLSExploit-2.tar.gz
filenameBCMHeapVisualisers.tar.gz
filenameBCMPatcher.tar.gz
versionBCM4339 firmware 6.37.34.40
versionBCM4358 firmware 7.112.201.1
commandTDLS_SETUP <MAC_ADDRESS_OF_PEER>
otherTDLS action code 127
  • Detect oversized Fast Transition IE (tag 55) in TDLS Teardown frames — a length field of 255 (ft_ie[1] = 0xFF) triggers the heap overflow in wlc_tdls_cal_teardown_mic_chk on BCM firmware.
  • Detect oversized RSN IE (tag 48) in TDLS Setup Confirm (M3) frames — an abnormally large RSN IE length that causes rsn_ie[1] + 2 + (pos - buffer) == 0xFF triggers the heap overflow in wlc_tdls_cal_mic_chk.
  • Monitor for TDLS connections being automatically established without user interaction — BCM firmware accepts all TDLS Setup Requests autonomously, making any peer on the same network a potential attacker.
  • Alert on unexpected Wi-Fi SoC resets (BCM firmware crash/reset) on devices with BCM4339 or BCM4358 chips — heap corruption from the overflow causes the remote BCM SoC to reset.
  • Detect TDLS frames with action code 127 — this non-standard action code is used by the exploit to manipulate heap freelist chunks and ultimately redirect a timer handler for code execution.
  • Flag use of modified wpa_supplicant 2.6 sending crafted TDLS Teardown or Setup Confirm frames — exploitation requires patched wpa_supplicant and Linux kernel (mac80211) to send malformed TDLS frames.
  • ·The BCM firmware heap does not implement safe unlinking or heap header cookies, making heap overflows significantly easier to exploit reliably on affected devices.
  • ·The BCM firmware heap is zero-initialized; '00 00' is NOP (MOVS R0,R0) in Thumb, which the exploit leverages to safely jump to shellcode placed on the heap.
  • ·In the TDLS Setup Confirm overflow (CVE-2017-0561 / issue #1047), the Anonce bytes (FTIE bytes 20–52) are uncontrolled by the attacker since they are chosen by the responder, but Snonce (bytes 52–84) is fully attacker-controlled.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.