lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 7 Dec 2006 15:09:15 -0800
From: "eEye Advisories" <>
To: <>
Subject: EEYE: Intel Network Adapter Driver Local
	Privilege Escalation

eEye Research -

Intel Network Adapter Driver Local Privilege Escalation

Release Date:
December 7, 2006

Date Reported:
July 10, 2006

Medium (Local Privilege Escalation to Kernel)

Systems Affected:
Windows 2000, XP, 2003, Vista
    Intel PRO 10/100   - or previous
    Intel PRO/1000     -  or previous
    Intel PRO/1000 PCI - or previous
    Intel PRO 10/100   - 3.5.14  or previous
    Intel PRO/1000     - 7.2.7   or previous
    Intel PRO/10GbE    - 1.0.109 or previous
    Intel PRO 10/100   - 4.0.3  or previous
    Intel PRO/1000     - 9.0.15 or previous

eEye Digital Security has discovered a vulnerability in all Intel
network adapter drivers ("NDIS miniport drivers") that could allow
unprivileged code executing on an affected system to gain unfettered,
kernel-level access.  For instance, a malicious user, malware, or
exploit payload taking advantage of an unrelated vulnerability could
additionally exploit this vulnerability in order to completely
compromise a system at the kernel level.

The vulnerability is a simple strcpy-based stack buffer overflow within
the Intel miniport driver, and can be reliably exploited on all versions
of Windows in order to execute arbitrary code.

Technical Details:
Despite the low level occupied by NDIS miniport drivers, it is possible
for unprivileged user-mode code to communicate with them via
NDIS-brokered requests for network adapter statistics.  An
IOCTL_NDIS_QUERY_SELECTED_STATS (0x17000E) request made to
"\Device\{adapterguid}" will cause NDIS.SYS to invoke the
QueryInformationHandler routine registered by the miniport driver in its
call to NdisMRegisterMiniport.  The input buffer supplied with this
IOCTL is a list of 32-bit OIDs corresponding to the statistics of
interest, each of which is passed individually to
QueryInformationHandler, which contains the code necessary to retrieve
the statistic and return it in the provided output buffer.

In the case of Intel miniport drivers, certain OID handlers will process
the contents of the output buffer.  On Windows 2000, a pointer to the
user-supplied buffer is passed directly to the miniport driver, meaning
this data is under user control.  (Windows XP and later passes in a
pointer to a temporary buffer in kernel memory containing undefined
data, which can be controlled by "seeding" pool memory from user-mode
prior to attempting exploitation.)

The handler for OID 0xFF0203FC attempts to copy a string from the output
buffer into a stack variable using essentially the following strcpy

    strcpy(&(var_1D4.sz_62), (char*)InformationBuffer + 4)

Therefore, supplying a 0x17A-character string (at offset +0x0C within
the output buffer, because NDIS uses the first 8 bytes for its own
purposes) will cause the handler function's return address to be
entirely overwritten, allowing execution to be redirected to an
arbitrary user- or kernel-mode address.

Despite vendor sentiment to the contrary, it should be understood that
driver flaws really are and have always been a major threat.  Local
exploitation of this vulnerability will result in arbitrary code
execution, providing a level of access that amounts to "the keys to the

Retina - Network Security Scanner has been updated to identify this

Vendor Status:
Intel has released a patch for this vulnerability which is available at  

Derek Soeder

Related Links:
Retina - Network Security Scanner - Free Trial:
Blink - Unified Client Security Personal - Free For Home Use:
Blink - Unified Client Security Professional - Free Trial:

F1: the very best of luck to you.  To Gliko and to Mr. and Mrs. Mike:
congrats!  cDc for holding the best Vegas party.  TA, WC, MF, DKP, DM,
BN, MP, CSam, HTP, RS, SY, and the G in GUI.

Copyright (c) 1998-2006 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically.  It is not
to be edited in any way without express consent of eEye.  If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email for permission.

The information within this paper may change without notice.  Use of
this information constitutes acceptance for use in an AS IS condition.
There are no warranties, implied or express, with regard to this
information.  In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information.  Any use of this information is at the
user's own risk.

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists