lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 11 Jul 2007 19:35:18 +0200
From: "KJK::Hyperion" <hackbunny@...tpj.org>
To: full-disclosure@...ts.grok.org.uk
Cc: vulnwatch@...nwatch.org, bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] iDefense Security Advisory 07.09.07: WinPcap
 NPF.SYS Local Privilege Escalation Vulnerability

iDefense Labs wrote:
> WinPcap NPF.SYS Local Privilege Escalation Vulnerability
>
> iDefense Security Advisory 07.09.07
> http://labs.idefense.com/intelligence/vulnerabilities/
> Jul 09, 2007
>
> I. BACKGROUND
>
> WinPcap is a software package that facilitates real-time link-level
> network access for Windows-based operating systems. It is used by a
> wide range of open-source projects including Wireshark. More
> information is available at the project web site at the URL shown
> below.
>
> http://www.winpcap.org/
>
> II. DESCRIPTION
>
> Local exploitation of an input validation vulnerability within the
> NPF.SYS device driver of WinPcap allows attackers to execute arbitrary
> code in kernel context.
>
> The vulnerability specifically exists due to insufficient input
> validation when handling the Interrupt Request Packet (Irp) parameters
> passed to IOCTL 9031 (BIOCGSTATS). By passing carefully chosen
> parameters to this IOCTL, an attacker can overwrite arbitrary kernel
> memory.
>
> III. ANALYSIS
>
> Exploitation allows attackers to execute arbitrary code in kernel
> context.
>
> The vulnerable device driver is loaded when WinPcap is initialized. This
> driver can be set to load on start-up depending on a choice made at
> installation time. This is not the default setting.
>
> In a default installation, the device driver is not loaded until an
> Administrator utilizes a WinPcap dependent application. Once they do,
> it will become accessible to normal users as well. When a program using
> this driver exists, it is not unloaded. Attackers will continue to have
> access until the driver is manually unloaded.
Nobody seemed to care about my patch for custom security on the capture 
device:

<http://www.winpcap.org/pipermail/winpcap-bugs/2005-June/000029.html>

In other news, Microsoft just released Network Monitor 3.1:

<http://www.microsoft.com/downloads/details.aspx?familyid=18b1d59d-f4d8-4213-8d17-2f6dde7d7aac>

(I'm extremely impressed by the improvements on 2.x, BTW)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ