NetGear MA521 Wireless Driver Long Beacon Probe Buffer Overflow Vulnerability

Bugtraq ID:	21175
Class:	Boundary Condition Error
CVE:	CVE-2006-6059
Remote:	Yes
Local:	No
Published:	Nov 18 2006 12:00AM
Updated:	Jul 06 2016 01:33PM
Credit:	Laurent Butti <0x9090 [at] gmail.com> is credited with the discovery of this vulnerability.
Vulnerable:	NetGear MA521nd5.SYS driver 5.148.724 2003 NetGear MA521 wireless adapter (PCMCIA) 0
Not Vulnerable:

NetGear MA521 Wireless Driver Long Beacon Probe Buffer Overflow Vulnerability

NetGear MA521 Wireless device is prone to a stack-based buffer-overflow vulnerability because the driver fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.

Exploiting this issue allows attackers to execute arbitrary machine code in the context of the kernel hosting the vulnerable driver. Failed attempts will likely crash the kernel, resulting in denial-of-service conditions.

Note that this vulnerability can be exploited only when an attacker is within the range of broadcast of 802.11 wireless connections.

Version 5.148.724.2003 of the MA521nd5.SYS driver is vulnerable to this issue; other versions may also be affected.

NetGear MA521 Wireless Driver Long Beacon Probe Buffer Overflow Vulnerability

The following Metasploit exploit is available:

• /data/vulnerabilities/exploits/netgear_ma521_rates.rb

NetGear MA521 Wireless Driver Long Beacon Probe Buffer Overflow Vulnerability

References:

• MA521 Homepage (NETGEAR)
  
• MOKB-18-11-2006: NetGear MA521 Wireless Driver Long Rates Overflow (Laurent Butti)
  
• VU#395496 - NetGear wireless driver fails to properly process certain 802.11 man (US-CERT)