AOH :: HP Unsorted R :: VA2359.HTM

Ralinktech wireless cards drivers vulnerability



Ralinktech wireless cards drivers vulnerability
Ralinktech wireless cards drivers vulnerability



Some Ralinktech wireless cards drivers are suffer from integer overflow. by sending 
malformed 802.11 Probe Request packet with no care about victim's MAC\BSS\SSID can cause to 
remote code execution in kernel mode.

In order to exploit this issue, the attacker should send a Probe 
Request packet with SSID length bigger then 128 bytes (but less then 256) when the victim's card is in ADHOC mode.
attacker shouldn't be on the same network nor even know the MAC\BSS\SSID, he can just send it broadcast.

Tested on Ralink USB wireless adapter (RT73) V3.08 on win2k with the latest driver version.
Status: Unpatched ,vulnerability reported to vendor.
Oses: Windows\linux drivers.

Have fun!
Aviv 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.