iDefense Labs wrote: > WinPcap NPF.SYS Local Privilege Escalation Vulnerability > > iDefense Security Advisory 07.09.07 > http://labs.idefense.com/intelligence/vulnerabilities/ > Jul 09, 2007 > > I. BACKGROUND > > WinPcap is a software package that facilitates real-time link-level > network access for Windows-based operating systems. It is used by a > wide range of open-source projects including Wireshark. More > information is available at the project web site at the URL shown > below. > > http://www.winpcap.org/ > > II. DESCRIPTION > > Local exploitation of an input validation vulnerability within the > NPF.SYS device driver of WinPcap allows attackers to execute arbitrary > code in kernel context. > > The vulnerability specifically exists due to insufficient input > validation when handling the Interrupt Request Packet (Irp) parameters > passed to IOCTL 9031 (BIOCGSTATS). By passing carefully chosen > parameters to this IOCTL, an attacker can overwrite arbitrary kernel > memory. > > III. ANALYSIS > > Exploitation allows attackers to execute arbitrary code in kernel > context. > > The vulnerable device driver is loaded when WinPcap is initialized. This > driver can be set to load on start-up depending on a choice made at > installation time. This is not the default setting. > > In a default installation, the device driver is not loaded until an > Administrator utilizes a WinPcap dependent application. Once they do, > it will become accessible to normal users as well. When a program using > this driver exists, it is not unloaded. Attackers will continue to have > access until the driver is manually unloaded. Nobody seemed to care about my patch for custom security on the capture device:
<http://www.winpcap.org/pipermail/winpcap-bugs/2005-June/000029.html> In other news, Microsoft just released Network Monitor 3.1: <http://www.microsoft.com/downloads/details.aspx?familyid=18b1d59d-f4d8-4213-8d17-2f6dde7d7aac> (I'm extremely impressed by the improvements on 2.x, BTW) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/