Wi-Fi technology is one of the most important infrastructures of today. A large amount of devices, such as cellphones, laptops, IoT devices, cars, and infrastructure of smart city are heavily depending on Wi-Fi. As a consequence, Wi-Fi has been one of the most popular attack surface of modern information systems.
In this talk, we focus on the vulnerability of Wi-Fi drivers before password authentication, as well as the security issues caused by these Wi-Fi layer vulnerabilities. We would like to share our experience in finding memory corruption vulnerabilities in Wi-Fi drivers, and how we successfully automated the vulnerability discovery process. These memory corruption bugs in Wi-Fi drivers always directly lead to immediate DoS, and significantly affect the target system. We found that these memory corruption vulnerabilities follow some patterns, and we constructed a fuzzing tool to automatically find memory corruption bugs according to these patterns. This tool successfully found a bunch of memory corruption vulnerabilities in many well adopted Wi-Fi adapter drivers, including Realtek USB/PCI-E Wi-Fi drivers, Pixel 3 Wi-Fi driver, and Intel PCI-E Wi-Fi adapter drivers. All of these vulnerabilities are remotely triggered without password authentication. We strongly believe that the fuzzing methodology and the tool is very effective and we want to bring it to the BlackHat.