cbcvebase.
CVE-2017-11120
published 2017-09-28

CVE-2017-11120: On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, an attacker can craft a malformed RRM neighbor report frame to trigger an internal buffer…

PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
9.13%
94.7th percentile
On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, an attacker can craft a malformed RRM neighbor report frame to trigger an internal buffer overflow in the Wi-Fi firmware, aka B-V2017061204.

Affected

6 ranges
VendorProductVersion rangeFixed in
appleios
appleiphone_os< 11.011.0
appletvos< 11.011.0
appletvos
broadcombcm4355c0_firmware
googleandroid

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42784.zip
filenameexploit/attack.py
filenameexploit/conf.py
filenameexploit/symbols.py
filenameexploit/assemble_backdoor.sh
filenamehostapd-2.6/hostapd/hostapd.conf
  • Detect malformed 802.11k RRM Neighbor Report Response frames sent over-the-air; the vulnerability is triggered by a crafted RRM neighbor report frame causing an internal buffer overflow in Broadcom Wi-Fi firmware.
  • Monitor for post-exploitation use of crafted 802.11 action frames used to issue remote read/write commands to a backdoored Broadcom Wi-Fi firmware; the backdoor communicates via crafted action frames.
  • Flag wireless clients associating to a rogue AP broadcasting SSID 'test80211k', which is the network name used by the public proof-of-concept exploit.
  • Presence of exploit tooling files (attack.py, assemble_backdoor.sh, conf.py, symbols.py) on a host may indicate preparation or execution of the CVE-2017-11120 exploit chain.
  • The exploit targets Broadcom BCM4355C0 Wi-Fi chips running firmware version 9.44.78.27.0.1.56; inventory and monitor devices with this chipset/firmware combination as high-priority targets.
  • The exploit was validated against iOS 10.2 (14C92) through iOS 10.3.3; unpatched devices in this range are confirmed vulnerable. iOS 11 and tvOS 11 contain the fix.
  • ·The public PoC exploit requires a SoftMAC Wi-Fi dongle (e.g., TL-WN722N) acting as a rogue AP and a modified hostapd-2.6 with 802.11k RRM/Neighbor Report support and action-frame injection capability; standard hostapd will not work.
  • ·Symbol offsets in the exploit must be adjusted per iOS version; the provided symbols.py targets iOS 10.2 (14C92) and may not work as-is against other builds.
  • ·The attacker must be within Wi-Fi radio range of the target device; this is a proximity-based (RF range) attack with no Internet-based exploitation path.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.