| Title: | NetGear WG111v2 Wireless Driver Long Beacon Overflow |
| Description: |
The NetGear WG111v2 wireless adapter (USB) ships with a version of WG111v2.SYS
that is vulnerable to a stack-based buffer overflow. This overflow can lead to
arbitrary kernel-mode code execution. The overflow occurs when a 802.11 beacon
request is received that contains over 1100 bytes of information elements.
This vulnerability was tested with version 5.1213.6.316 of the WG111v2.SYS driver and
a NetGear WG111v2 USB adapter. Since this vulnerability is exploited via beacon frames,
all cards within range of the attack will be affected. The tested adapter used
a MAC address in the range of 00:18:4d:02:XX:XX.
NetGear was NOT contacted about this flaw. A search of the SecurityFocus
database indicates that NetGear has not provided an official patch or
solution for any of the thirty flaws listed at the time of writing. This list
includes BIDs: 1010, 3876, 4024, 4111, 5036, 5667, 5830, 5943, 5940, 6807, 7267, 7270,
7371, 7367, 9194, 10404, 10459, 10585, 10935, 11580, 11634, 12447, 15816, 16837,
16835, 19468, and 19973.
WG111v2 Driver Download (vulnerable) |
| Author/Contributor: |
H D Moore <hdm [at] metasploit.com> - discovery and exploit development. NA<NAgt; - MoKB release. |
| References: | |
| Proof of concept or exploit: | Metasploit Module: exploits/windows/driver/netgear_wg111_beacon.rb |
| Debugging information: |
All tests were performed with version 5.1213.6.316 of the WG111v2.SYS driver. Although this driver is for the Windows operating system, Linux and FreeBSD users of the ndiswrapper tool should determine if they are using WG111v2.SYS and upgrade accordingly. |