| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20070709233213.3157.qmail@securityfocus.com>
Date: 9 Jul 2007 23:32:13 -0000
From: mballano@...il.com
To: bugtraq@...urityfocus.com
Subject: WinPcap NPF.SYS Privilege Elevation Vulnerability
WinPcap NPF.SYS Privilege Elevation Vulnerability PoC exploit
-------------------------------------------------------------
Affected software:
(*) WinPcap versions affected (Confirmed)
- WinPcap 3.1
- WinPcap 4.1
(*) Operating systems affected (Confirmed)
- Windows 2000 SP4 (Both server and workstation)
- Windows XP SP2
- Windows 2003 Server
- Windows Vista !!
Description:
It's a well known issue that WinPcap security model allows non-administrator
users to use its device driver. If they don't manually unload it after using
tools such as Wireshark (ethereal), which unfortunatelly oftenly happens, this
can lead to unwanted network traffic sniffing and now with the help of this
exploit to kernel mode code execution ;-)
Remarks:
The exploit code is a PoC and was tested only against Windows XP SP2, with minor
modifications (delta offsets and changing VirtualAlloc for NtAllocVirtualMemory due
to base address restrictions in Windows Vista ) should work on all OSes commented
above.
To test the PoC, just pick any software which uses WinPcap like WireShark, then
start to sniff in any iface and close it (so WinPcap device gets up ). Run the
exploit code (as guest user if you want) you should hit an int 3 in kernel mode :-)
Vulnerability discovered by:
Mario Ballano Bárcena, mballano[_at_]gmail.com
You can download exploit and analysis at : http://www.48bits.com/exploits/npfxpl.c
Best regards,
Mario
Powered by blists - more mailing lists