lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <DUB128-W4375E1A12AB10E6181488BCFD10@phx.gbl>
Date: Thu, 4 Feb 2016 11:38:39 +0200
From: Kyriakos Economou <arfproject@...mail.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] NDI5aster – Privilege Escalation through NDIS 5.x Filter Intermediate Drivers


NDI5aster – Privilege Escalation through NDIS 5.x Filter Intermediate Drivers

ABSTRACT

The Network Driver Interface Specification (NDIS) [11] provides a 
programming interface specification that facilitates from the network 
driver architecture perspective the communication between a protocol 
driver and the underlying network adapter. In Windows OS the so called 
“NDIS wrapper” (implemented in the Ndis.sys) provides a programming 
layer of communication between network protocols (TCP/IP) and all the 
underlying NDIS device drivers so that the implementation of high-level 
protocol components are independent of the network adapter itself. 
During vulnerability research from a local security perspective that was
 performed over several software firewall products designed for Windows 
XP and Windows Server 2003 (R2 included), an issue during the loading 
and initialization of one of the OS NDIS protocol drivers was 
identified; specifically the ’Remote Access and Routing Driver’ called 
wanarp.sys. This issue can be exploited through various NDIS 5.x filter 
intermediate drivers [4] that provide the firewall functionality of 
several security related products. The resulting impact is vertical 
privilege escalation which allows a local attacker to execute code with 
kernel privileges from any account type, thus completely compromising 
the affected host.

URL: http://www.anti-reversing.com/ndi5aster/
 		 	   		  

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ