MOKB-18-11-2006

Bug details
Title: NetGear MA521 Wireless Driver Long Rates Overflow
Description: The NetGear MA521 wireless adapter (CARDBUS) ships with a version of MA521nd5.SYS that is vulnerable to a memory corruption condition. This issue may lead to arbitrary kernel-mode code execution (1). When a specific malformed 802.11 frame (beacon or probe response) is received by the wireless interface under active scanning mode, the MA521nd5.SYS driver attempts to write to an attacker-controlled memory location. The vulnerability is triggered by an invalid supported rates information element. NetGear was NOT contacted about this flaw.

MA521 Driver Download (vulnerable)
Author/Contributor: Laurent Butti <laurent.butti [at] orange-ftgroup.com> - discovery and exploit development.
H D Moore <hdm [at] metasploit.com> - Metasploit module clean-up and integration
NA<NA[at] info-pull.com> - MoKB release.
References:
Proof of concept or exploit: Metasploit Module: auxiliary/dos/wireless/netgear_ma521_rates.rb
Debugging information:

This DoS was tested with version 5.148.724.2003 of the MA521nd5.SYS driver and a NetGear MA521 CARDBUS adapter.
Although this driver is for the Windows operating system, Linux and FreeBSD users of the ndiswrapper tool should determine if they are using WG111v2.SYS and upgrade accordingly.

1: A remote code execution module for Metasploit is also in development, thus this release might be subject of updates as necessary.

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 41414141, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: aa1ec75a, address which referenced memory