Ralinktech wireless cards drivers vulnerability

2009.01.29

Credit: springsec

Risk: High

Local: No

Remote: Yes

CVE: CVE-2009-0282

CWE: CWE-189

CVSS Base Score: 9.3/10

Impact Subscore: 10/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Complete

Integrity impact: Complete

Availability impact: Complete

Some Ralinktech wireless cards drivers are suffer from integer overflow. by sending
malformed 802.11 Probe Request packet with no care about victim's MAC\BSS\SSID can cause to
remote code execution in kernel mode.
In order to exploit this issue, the attacker should send a Probe
Request packet with SSID length bigger then 128 bytes (but less then 256) when the victim's card is in ADHOC mode.
attacker shouldn't be on the same network nor even know the MAC\BSS\SSID, he can just send it broadcast.
Tested on Ralink USB wireless adapter (RT73) V3.08 on win2k with the latest driver version.
Status: Unpatched ,vulnerability reported to vendor.
Oses: Windows\linux drivers.
Have fun!
Aviv

References:

http://www.securityfocus.com/archive/1/archive/1/500168/100/0/threaded

http://secunia.com/advisories/33592

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512995

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Ralinktech wireless cards drivers vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.