Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17438
HistoryJul 10, 2007 - 12:00 a.m.

WinPcap NPF.SYS Privilege Elevation Vulnerability

2007-07-1000:00:00
vulners.com
13
JSON
    WinPcap NPF.SYS Privilege Elevation Vulnerability PoC exploit
    -------------------------------------------------------------

    Affected software: 

    (*) WinPcap versions affected (Confirmed)
    
    - WinPcap 3.1
    - WinPcap 4.1

(*) Operating systems affected (Confirmed)
    
    - Windows 2000 SP4 (Both server and workstation) 
    - Windows XP   SP2
    - Windows 2003 Server
    - Windows Vista !!

    Description:

    It's a well known issue that WinPcap security model allows non-administrator 
    users to use its device driver. If they don't manually unload it after using 
    tools such as Wireshark (ethereal), which unfortunatelly oftenly happens, this 
    can lead to unwanted network traffic sniffing and now with the help of this 
    exploit to kernel mode code execution ;-)       
    
    Remarks:
    
    The exploit code is a PoC and was tested only against Windows XP SP2, with minor 
    modifications (delta offsets and changing VirtualAlloc for NtAllocVirtualMemory due
    to base address restrictions in Windows Vista ) should work on all OSes commented 
    above.

    To test the PoC, just pick any software which uses WinPcap like WireShark, then 
    start to sniff in any iface and close it  (so WinPcap device gets up ). Run the 
    exploit code (as guest user if you want) you should hit an int 3 in kernel mode :-)
                    
    Vulnerability discovered by:
    
    Mario Ballano BΠ±rcena,  mballano[_at_]gmail.com

You can download exploit and analysis at : http://www.48bits.com/exploits/npfxpl.c

Best regards,

Mario

JSON