Ralinktech wireless cards drivers vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Ralinktech wireless cards drivers vulnerability
From: springsec@xxxxxxxxx
Date: Sun, 18 Jan 2009 04:12:03 -0700
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Some Ralinktech wireless cards drivers are suffer from integer overflow. by 
sending 
malformed 802.11 Probe Request packet with no care about victim's MAC\BSS\SSID 
can cause to 
remote code execution in kernel mode.

In order to exploit this issue, the attacker should send a Probe 
Request packet with SSID length bigger then 128 bytes (but less then 256) when 
the victim's card is in ADHOC mode.
attacker shouldn't be on the same network nor even know the MAC\BSS\SSID, he 
can just send it broadcast.

Tested on Ralink USB wireless adapter (RT73) V3.08 on win2k with the latest 
driver version.
Status: Unpatched ,vulnerability reported to vendor.
Oses: Windows\linux drivers.

Have fun!
Aviv

Prev by Date: FBI XSS Vulnerability
Next by Date: 53KF Web IM 2009 Cross-Site Scripting Vulnerabilities
Previous by thread: FBI XSS Vulnerability
Next by thread: 53KF Web IM 2009 Cross-Site Scripting Vulnerabilities
Index(es):
- Date
- Thread