Ralinktech无线驱动MAC/BSS/SSID整数溢出漏洞

https://www.securityfocus.com/bid/33340
https://cxsecurity.com/issue/WLB-2009010216
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-358

RalinkRT73是一款小型的无线网卡。RalinkRT73网卡驱动中存在整数溢出漏洞。如果用户的网卡处于ADHOC模式的话，则发送SSID长度大于128字节但小于256字节的ProbeRequest报文就恶意触发这个溢出，导致执行任意代码。

Some Ralinktech wireless cards drivers are suffer from integer overflow. by sending 
malformed 802.11 Probe Request packet with no care about victim's MAC\BSS\SSID can cause to 
remote code execution in kernel mode.

In order to exploit this issue, the attacker should send a Probe 
Request packet with SSID length bigger then 128 bytes (but less then 256) when the victim's card is in ADHOC mode.
attacker shouldn't be on the same network nor even know the MAC\BSS\SSID, he can just send it broadcast.

Tested on Ralink USB wireless adapter (RT73) V3.08 on win2k with the latest driver version.
Status: Unpatched ,vulnerability reported to vendor.
Oses: Windows\linux drivers.

Have fun!
Aviv

Ralink Technology Ralink USB Wireless Adapter (RT73) 3.08 Gentoo Linux Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel

来源:BID
名称:33340
链接:http://www.securityfocus.com/bid/33340
来源:BUGTRAQ
名称:20090118Ralinktechwirelesscardsdriversvulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/500168/100/0/threaded
来源:DEBIAN
名称:DSA-1714
链接:http://www.debian.org/security/2009/dsa-1714
来源:DEBIAN
名称:DSA-1713
链接:http://www.debian.org/security/2009/dsa-1713
来源:DEBIAN
名称:DSA-1712
链接:http://www.debian.org/security/2009/dsa-1712
来源:GENTOO
名称:GLSA-200907-08
链接:http://security.gentoo.org/glsa/glsa-200907-08.xml
来源:SECUNIA
名称:35743
链接:http://secunia.com/advisories/35743
来源:SECUNIA
名称:33699
链接:http://secunia.com/advisories/33699
来源:SECUNIA
名称:33592
链接:http://secunia.com/advisories/33592
来源:MISC
链接:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512995