CommandInWiFi
Investigating Command Injection Flaws in WiFi Access Point Storage
Inspired by Zero-Click Attacks
- Purpose of the Code: For testing or educational purposes only. Use ethically and legally.
- IoT Security Testing: Ideal for IoT Security Engineers for penetration testing to assess device behavior under different network conditions.
This code Creates Wi-Fi SSIDs based provided payload data names, focussing on how these devices save and discover SSIDs. Some devices may use SSID names as payload carriers, which can be executed at the bash level. This vulnerability ranges from causing Denial of Service (DoS) to Remote Code Execution (RCE), including unauthorized port access, impacting Wi-Fi network-based IoT devices significantly. The code aims to reboot devices when they encounter a pre-set payload-bearing SSID.
| Status | Condition |
|---|---|
| SAFE | Device does not reboot. |
| UNSAFE | Device reboots upon encountering a specific SSID or at user-defined intervals. |
| S.No | Description of Vulnerable Devices | Level of Impact Risk |
|---|---|---|
| 1. | Devices that join open Wi-Fi networks or execute payloads during discovery | Zero-Click |
| 2. | Devices reading SSIDs as bash-level commands with user interaction or after some time period of saved network ssid | Critical |
| 3. | Devices storing data in a payload format with special charactors are not getting encrypted - here we need to max trial and error | Low Risk |
- Build framework
- Add function to discover vulnerable devices
- Document the project
- Include vulnerable source code
- Compile a payload list
- Develop terminal base tool
- Add other test cases
- Active payloads for OS Command Injection in IoT Devices
- bluetooth
- NFC - not started yet
- Includes more in future
- What is Zero-Click Malware? - Kaspersky
- Meet WiFiDemon: iOS WiFi RCE 0-Day Vulnerability - ZecOps Blog
- What is a Zero-Click Attack? - Check Point
- Apple Quietly Patched 0-Click Wi-Fi Code Execution Vulnerability - SecurityWeek
- Marvell Avastar Wi-Fi Vulnerability - Help Net Security
- OS Command Injection - PortSwigger
- CVE-2023–45866: 0-Click Bluetooth vulnerability