Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 2) (Project Zero)

Here's thesecond part in the detailed Google Project Zero series on using the BroadcomWiFi stack to compromise the host system. "In this post, we'llexplore two distinct avenues for attacking the host operating system. Inthe first part, we'll discover and exploit vulnerabilities in thecommunication protocols between the Wi-Fi firmware and the host, resultingin code execution within the kernel. Along the way, we'll also observe acurious vulnerability which persisted until quite recently, using whichattackers were able to directly attack the internal communication protocolswithout having to exploit the Wi-Fi SoC in the first place! In the secondpart, we'll explore hardware design choices allowing the Wi-Fi SoC in itscurrent configuration to fully control the host without requiring avulnerability in the first place."