lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200901181112.n0IBC3GR022232@www5.securityfocus.com>
Date: Sun, 18 Jan 2009 04:12:03 -0700
From: springsec@...il.com
To: bugtraq@...urityfocus.com
Subject: Ralinktech wireless cards drivers vulnerability

Some Ralinktech wireless cards drivers are suffer from integer overflow. by sending 
malformed 802.11 Probe Request packet with no care about victim's MAC\BSS\SSID can cause to 
remote code execution in kernel mode.

In order to exploit this issue, the attacker should send a Probe 
Request packet with SSID length bigger then 128 bytes (but less then 256) when the victim's card is in ADHOC mode.
attacker shouldn't be on the same network nor even know the MAC\BSS\SSID, he can just send it broadcast.

Tested on Ralink USB wireless adapter (RT73) V3.08 on win2k with the latest driver version.
Status: Unpatched ,vulnerability reported to vendor.
Oses: Windows\linux drivers.

Have fun!
Aviv 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ