MOKB-13-11-2006

Bug details
Title: D-Link DWL-G132 Wireless Driver Beacon Rates Overflow
Description: The D-Link DWL-G132 wireless adapter (USB) ships with a version of A5AGU.SYS that is vulnerable to a stack-based buffer overflow. This overflow can lead to arbitrary kernel-mode code execution. The overflow occurs when a 802.11 beacon request is received that contains over 36 bytes in the Rates information element (IE). This vulnerability was tested with version 1.0.1.41 of the A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340 adapter and appear to resolve this flaw, but D-Link does not offer an updated driver for the DWL-G132. Since this vulnerability is exploited via beacon frames, all cards within range of the attacker will be affected. The tested adapter used a MAC address in the range of 00:11:95:f2:XX:XX. D-Link was NOT contacted about this flaw. A search of the SecurityFocus database indicates that D-Link has not provided an official patch or solution for any of the seven flaws listed at the time of writing: (BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689). To install a patched version of the A5AGU.SYS driver, first install the WUA-2340 driver from the link below, then re-install the DWL-G132 driver. Browse to the WUA-2340 installation path, find the Drivers subdirectory, and copy all of these files (at least, the .SYS and .BIN files), to your Windows\System32\Drivers directory, overwriting the existing files with the same name. Finally, reboot your system.

DWL-G132 Driver Download (vulnerable) WUA-2340 Driver Download (patched)
Author/Contributor: H D Moore <hdm [at] metasploit.com> - discovery and exploit development.
Matt Miller <mmiller [at] hick.org> - kernel-land staging and debugging.
Johnny Cache <johnnycsh [at] 802.11mercenary.net> - debug, test, ninjosity.
NA<NAgt; - MoKB release.
References:
Proof of concept or exploit: Metasploit Module: exploits/windows/driver/dlink_wifi_rates.rb
Debugging information:

All tests were performed with version 1.0.1.41 of the A5AGU.SYS driver. Although this driver is for the Windows operating system, Linux and FreeBSD users of the ndiswrapper tool should determine if they are using A5AGU.SYS and upgrade accordingly.