| Title: | NetGear MA521 Wireless Driver Long Rates Overflow |
| Description: |
The NetGear MA521 wireless adapter (CARDBUS) ships with a version of MA521nd5.SYS
that is vulnerable to a memory corruption condition. This issue may lead to
arbitrary kernel-mode code execution (1).
When a specific malformed 802.11 frame (beacon or probe response)
is received by the wireless interface under active scanning mode, the MA521nd5.SYS
driver attempts to write to an attacker-controlled memory location. The vulnerability
is triggered by an invalid supported rates information element.
NetGear was NOT contacted about this flaw.
MA521 Driver Download (vulnerable) |
| Author/Contributor: |
Laurent Butti <laurent.butti [at] orange-ftgroup.com> - discovery and exploit development. H D Moore <hdm [at] metasploit.com> - Metasploit module clean-up and integration NA<NA[at] info-pull.com> - MoKB release. |
| References: | |
| Proof of concept or exploit: | Metasploit Module: auxiliary/dos/wireless/netgear_ma521_rates.rb |
| Debugging information: |
This DoS was tested with version 5.148.724.2003 of the MA521nd5.SYS driver and a
NetGear MA521 CARDBUS adapter. ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace. Arguments: Arg1: 41414141, memory referenced Arg2: 00000002, IRQL Arg3: 00000000, value 0 = read operation, 1 = write operation Arg4: aa1ec75a, address which referenced memory |