CVE-2006-5972
published 2006-11-18CVE-2006-5972: Stack-based buffer overflow in WG111v2.SYS in NetGear WG111v2 wireless adapter (USB) allows remote attackers to execute arbitrary code via a long 802.11 beacon…
PriorityP261critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
19.31%
97.0th percentile
Stack-based buffer overflow in WG111v2.SYS in NetGear WG111v2 wireless adapter (USB) allows remote attackers to execute arbitrary code via a long 802.11 beacon request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netgear | wg111v2_driver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xC4\x54\xF2\xFF\xFF
- →Trigger condition: 802.11 Beacon frame containing more than 1100 bytes worth of information elements. Monitor for anomalously large beacon frames exceeding this threshold. ↗
- →The exploit overwrites the return address at offset 1101 within the information elements buffer. A crafted beacon with a 4-byte kernel address (jmp esp gadget) at IE offset 1101 is a strong indicator of exploitation. ↗
- →A secondary jump stub (push 0x39 / pop eax / add edi,eax / jmp edi) is embedded at IE offset 1113 in the exploit beacon. Detect this byte sequence in 802.11 beacon IEs. ↗
- →The exploit targets clients in a non-associated (scanning) state; all cards within RF range are affected. Anomalous beacon floods from a single source MAC should be investigated. ↗
- →The exploit uses a broadcast destination MAC (FF:FF:FF:FF:FF:FF) by default. Beacon frames with oversized IEs sent to broadcast are a key detection signal. ↗
- ·The exploit requires the victim's WG111v2 USB adapter to be in a non-associated (scanning) state. Associated clients are not affected. ↗
- ·The Metasploit module depends on the Lorcon2 library and only functions on Linux with a supported wireless card; it cannot be launched from Windows. ↗
- ·Exploitation timing is non-deterministic; the payload can take up to a minute to execute depending on system activity. ↗
- ·Return addresses (ROP gadgets) are hardcoded per Windows XP SP2 build; the two supported targets are 5.1.2600.2122 (GDR) and 5.1.2600.2180 (RTM), both paired with WG111v2.SYS 5.1213.6.316. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://projects.info-pull.com/mokb/MOKB-16-11-2006.htmlhttp://secunia.com/advisories/22962http://securitytracker.com/id?1017245http://www.kb.cert.org/vuls/id/445753http://www.securityfocus.com/bid/21126http://www.vupen.com/english/advisories/2006/4560https://exchange.xforce.ibmcloud.com/vulnerabilities/30370http://projects.info-pull.com/mokb/MOKB-16-11-2006.htmlhttp://secunia.com/advisories/22962http://securitytracker.com/id?1017245http://www.kb.cert.org/vuls/id/445753http://www.securityfocus.com/bid/21126http://www.vupen.com/english/advisories/2006/4560https://exchange.xforce.ibmcloud.com/vulnerabilities/30370
2006-11-18
Published