Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21197
HistoryJan 20, 2009 - 12:00 a.m.

Ralinktech wireless cards drivers vulnerability

2009-01-2000:00:00
vulners.com
14
JSON

Some Ralinktech wireless cards drivers are suffer from integer overflow. by sending
malformed 802.11 Probe Request packet with no care about victim's MAC\BSS\SSID can cause to
remote code execution in kernel mode.

In order to exploit this issue, the attacker should send a Probe
Request packet with SSID length bigger then 128 bytes (but less then 256) when the victim's card is
in ADHOC mode.
attacker shouldn't be on the same network nor even know the MAC\BSS\SSID, he can just send it
broadcast.

Tested on Ralink USB wireless adapter (RT73) V3.08 on win2k with the latest driver version.
Status: Unpatched ,vulnerability reported to vendor.
Oses: Windows\linux drivers.

Have fun!
Aviv

JSON