Ralinktech wireless cards drivers vulnerability

2009.01.29
Credit: springsec
Risk: High
Local: No
Remote: Yes
CWE: CWE-189


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Some Ralinktech wireless cards drivers are suffer from integer overflow. by sending malformed 802.11 Probe Request packet with no care about victim's MAC\BSS\SSID can cause to remote code execution in kernel mode. In order to exploit this issue, the attacker should send a Probe Request packet with SSID length bigger then 128 bytes (but less then 256) when the victim's card is in ADHOC mode. attacker shouldn't be on the same network nor even know the MAC\BSS\SSID, he can just send it broadcast. Tested on Ralink USB wireless adapter (RT73) V3.08 on win2k with the latest driver version. Status: Unpatched ,vulnerability reported to vendor. Oses: Windows\linux drivers. Have fun! Aviv

References:

http://www.securityfocus.com/archive/1/archive/1/500168/100/0/threaded
http://secunia.com/advisories/33592
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512995


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top