Buffer overflow in Netgear WLAN driver
The initiators of the Month of Kernel Bugs are keeping busy at their task of publicising one new operating system or driver security hole each day. 16 vulnerabilities in all have made their way onto the list so far.
The latest advisory involves a WLAN driver for Windows. The driver for Netgear's WG111v2 USB WLAN adaptor contains a flaw that allows a buffer overflow to be provoked during the processing of long beacon requests (>1100 bytes). According to the error report, this can be used to smuggle in and execute malicious code. A similar error was recently found in the driver software for the DWL-G132 WLAN USB dongles from Linksys. A proof of concept module is already available for the Metasploit exploit framework. It uses the Lorcon tool to send specially prepared beacon frames to a vulnerable device, providing the WLAN MAC address is sufficient for this.
The vulnerability was recreated on a system running Windows XP with Netgear driver version 5.1213.6.316 from WG111v2.SYS, the flaw advisory reports. Netgear was not informed about the hole, H.D. Moore writes. Moore, who discovered the hole, justifies this by the fact that 30 other vulnerabilities in that manufacturer's products remain unpatched, so informing them would have been moot anyway. Moore does not propose a workaround either.
Two other holes have also made the list lately as part of the MoKB. They are related to the Linux Kernel 2.6. The mounting of a malformed stream can lead to a crash if SELinux hooks is activated. A similar situation occurs when mounting a defective stream on the Linux Cluster file system GFS2 (Global File System 2).
- NetGear WG111v2 Wireless Driver Long Beacon Overflow, bug advisory from the MoKB