Flaws in Realtek RTL8170C Wi-Fi module allow hijacking wireless communications

Researchers found multiple flaws in the Realtek RTL8170C Wi-Fi module that could be exploited to elevate privileges and hijack wireless communications.

Researchers from Israeli IoT security firm Vdoo found multiple vulnerabilities in the Realtek RTL8170C Wi-Fi module that could allow to elevate privileges and hijack wireless communications.

The Realtek RTL8710C module is based on a Cortex M3 processor, it is used for several applications in many industries, including Agriculture, Automotive, Energy, Gaming, Healthcare, Industrial, Security, and Smart Home.

“Successful exploitation would lead to complete control of the Wi-Fi module and potential root access on the OS (such as Linux or Android) of the embedded device that uses this module.” reads a reported published by Vdoo. To the best of our knowledge, these vulnerabilities are not being exploited in the wild.  Our understanding is that the Realtek team acted promptly to patch these vulnerabilities and push the patched version to the vulnerable products.”

The vulnerabilities impact all embedded and IoT devices that use the Realtek RTL8710C module, they could be exploited only by attackers on the same Wi-Fi network or know the network’s pre-shared key (PSK) used to authenticate wireless clients on local area networks.

Researchers discovered two stack-based buffer overflow vulnerabilities, tracked as CVE-2020-27301 and CVE-2020-27302, in the module’s WPA2 handshake mechanism. The two issues leverage the knowledge of the PSK to obtain remote code execution on WPA2 clients that use the vulnerable Wi-Fi module.

The researchers demonstrated a proof-of-concept (PoC) exploit that sees the attacker masquerading as a legitimate access point, running a modified open-source hostapd, and sending a malicious encrypted group temporal key (GTK) to any client that connects to it via WPA2.

In the video PoC published by the researchers, on the right-hand-side window as “Sending malicious encrypted GTK”

“The video demonstrates the stack overflow, which eventually overwrites the return address to the invalid address of 0x95f98179. This is a “random” address because the buffer goes through AES decryption, however – since the attacker has full knowledge of all the encryption parameters (the network’s PSK etc.), precise control of the return address can be achieved – this is left as an exercise for the reader.” continues the report.

The vendor addressed the issue with the release of a version built on 11/01/2021, experts added that updated versions of the ambz2 SDK can be downloaded from Realtek’s website.
The latest version of ambz2 SDK (7.1d) addresses the issues.

In case organizations can’t update the device’s firmware, they can use a strong, private WPA2 passphrase to prevent exploitation of the above flaws.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Realtek RTL8170C Wi-Fi module)

[adrotate banner=”5″]

[adrotate banner=”13″]