[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <469514D6.4000401@s0ftpj.org>
Date: Wed, 11 Jul 2007 19:35:18 +0200
From: "KJK::Hyperion" <hackbunny@...tpj.org>
To: full-disclosure@...ts.grok.org.uk
Cc: vulnwatch@...nwatch.org, bugtraq@...urityfocus.com
Subject: Re: iDefense Security Advisory 07.09.07: WinPcap
NPF.SYS Local Privilege Escalation Vulnerability
iDefense Labs wrote:
> WinPcap NPF.SYS Local Privilege Escalation Vulnerability
>
> iDefense Security Advisory 07.09.07
> http://labs.idefense.com/intelligence/vulnerabilities/
> Jul 09, 2007
>
> I. BACKGROUND
>
> WinPcap is a software package that facilitates real-time link-level
> network access for Windows-based operating systems. It is used by a
> wide range of open-source projects including Wireshark. More
> information is available at the project web site at the URL shown
> below.
>
> http://www.winpcap.org/
>
> II. DESCRIPTION
>
> Local exploitation of an input validation vulnerability within the
> NPF.SYS device driver of WinPcap allows attackers to execute arbitrary
> code in kernel context.
>
> The vulnerability specifically exists due to insufficient input
> validation when handling the Interrupt Request Packet (Irp) parameters
> passed to IOCTL 9031 (BIOCGSTATS). By passing carefully chosen
> parameters to this IOCTL, an attacker can overwrite arbitrary kernel
> memory.
>
> III. ANALYSIS
>
> Exploitation allows attackers to execute arbitrary code in kernel
> context.
>
> The vulnerable device driver is loaded when WinPcap is initialized. This
> driver can be set to load on start-up depending on a choice made at
> installation time. This is not the default setting.
>
> In a default installation, the device driver is not loaded until an
> Administrator utilizes a WinPcap dependent application. Once they do,
> it will become accessible to normal users as well. When a program using
> this driver exists, it is not unloaded. Attackers will continue to have
> access until the driver is manually unloaded.
Nobody seemed to care about my patch for custom security on the capture
device:
<http://www.winpcap.org/pipermail/winpcap-bugs/2005-June/000029.html>
In other news, Microsoft just released Network Monitor 3.1:
<http://www.microsoft.com/downloads/details.aspx?familyid=18b1d59d-f4d8-4213-8d17-2f6dde7d7aac>
(I'm extremely impressed by the improvements on 2.x, BTW)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists