A researcher from France Telecom has discovered the first remotely exploitable 802.11 WiFi bug on a Linux machine. The kernel stack-overflow bug, which is in the open-source MadWiFi Linux kernel device driver, lets an attacker run malicious code remotely on an infected machine -- and the infected machine doesn't even have to be on a WiFi network to get "owned."

Laurent Butti, senior security expert for France Telecom's Orange R&D, says all it takes is the client machine's NIC to be activated and perform its automated scanning feature for WiFi access points in range, and the vulnerability is triggered. The attacker initially must be in wireless range of the victim for the code to execute the exploit, he says.

Butti, who also found three Windows WiFi bugs with his homegrown 802.11 fuzzing tool -- two of which (Netgear) made the Month of Kernel Bugs last year and allow denial-of-service attacks -- admits that a Linux bug doesn't mean much to the mostly Windows and Mac mainstream WiFi laptop user. But, he says, the Atheros chipset itself is widely used. (See Month of Kernel Bugs Ends in Controversy and Kernel Bugs Come Marchin' In.)

The researcher presented his findings at Black Hat Europe in Amsterdam last month, but he had already released his proof-of-concept exploit last December after going through a "responsible disclosure" process with MadWiFi's development team, he says. "We contacted them and waited for them to patch the issue" first, he says, which they did.

Butti's work follows in the footsteps of WiFi device driver vulnerability research done by Jon Ellch (a.k.a. Johnny Cache) and David Maynor, CTO of Errata Security, who showed how device drivers were a hacker's dream come true at Black Hat USA last summer. (See Device Drivers at Risk.)

And these bugs have implications for the OS kernel. "The vulnerabilities are driver code. But as driver code operates in [the operating system's] kernel-land, any exploitable security bug will compromise the kernel" as well, Butti says.

With 802.11 standards becoming more complex and requiring extensions and more code in APs and drivers, there will be more bugs to come, he says.

Although his homegrown fuzzer has some advanced features, Butti says most vulnerabilities can be found with a basic wireless fuzzer, which shows how easy it is to find device-driver bugs today. "I gave some fuzzing scripts in my [Black Hat] presentation that should find about 80 percent of known wireless driver bugs."

Meanwhile, Butti is working on building an 802.11 fuzzer that expands beyond his recent research on client-side vulnerabilities to the access point side as well. "I am trying to develop a fully featured 802.11 fuzzer for both client and access point side."

— Kelly Jackson Higgins, Senior Editor, Dark Reading