|Title:||D-Link DWL-G132 Wireless Driver Beacon Rates Overflow|
The D-Link DWL-G132 wireless adapter (USB) ships with a version of A5AGU.SYS
that is vulnerable to a stack-based buffer overflow. This overflow can lead to
arbitrary kernel-mode code execution. The overflow occurs when a 802.11 beacon
request is received that contains over 36 bytes in the Rates information element (IE).
This vulnerability was tested with version 184.108.40.206 of the A5AGU.SYS driver and a
D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). Newer versions of the A5AGU.SYS driver
are provided with the D-Link WUA-2340 adapter and appear to resolve this flaw, but
D-Link does not offer an updated driver for the DWL-G132. Since this vulnerability
is exploited via beacon frames, all cards within range of the attacker will be
affected. The tested adapter used a MAC address in the range of 00:11:95:f2:XX:XX.
D-Link was NOT contacted about this flaw. A search of the SecurityFocus
database indicates that D-Link has not provided an official patch or
solution for any of the seven flaws listed at the time of writing:
(BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689).
To install a patched version of the A5AGU.SYS driver, first install the WUA-2340 driver
from the link below, then re-install the DWL-G132 driver. Browse to the WUA-2340
installation path, find the Drivers subdirectory, and copy all of these files (at
least, the .SYS and .BIN files), to your Windows\System32\Drivers directory, overwriting
the existing files with the same name. Finally, reboot your system.
DWL-G132 Driver Download (vulnerable) WUA-2340 Driver Download (patched)
H D Moore <hdm [at] metasploit.com> - discovery and exploit development.
Matt Miller <mmiller [at] hick.org> - kernel-land staging and debugging.
Johnny Cache <johnnycsh [at] 802.11mercenary.net> - debug, test, ninjosity.
NA<NAgt; - MoKB release.
|Proof of concept or exploit:||Metasploit Module: exploits/windows/driver/dlink_wifi_rates.rb|
All tests were performed with version 220.127.116.11 of the A5AGU.SYS driver. Although this driver is for the Windows operating system, Linux and FreeBSD users of the ndiswrapper tool should determine if they are using A5AGU.SYS and upgrade accordingly.