Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > November 2007 > 3478 - WinPcap NPF.SYS bpf_filter_init Arbitrary Array Indexing Vulnerability

November 2007

3478 - WinPcap NPF.SYS bpf_filter_init Arbitrary Array Indexing Vulnerability

ID: 3478
Date: 15/11/2007
Title: 3478 - WinPcap NPF.SYS bpf_filter_init Arbitrary Array Indexing Vulnerability
Platform level affected:Net Application - Client
Hardware components affected:Intel PC
Specific operating systems components affected: 32-bit Windows
Net-enabled software: Other
Security software:Monitoring
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:Wincap Project
Applications affected:Wincap
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Proof of Concept
Warning Status: Imminent
Potential Damage: Remote execution/modification
Possible Duration: Unknown
Availability of fix: Available
Type of fix: Patch
Source: iDefense, Inc.
Reliability of source: Known
Source URL: http://labs.idefense.com/intelligence/vulnerabilities/, http://www.winpcap.org/
CVE: CVE-2007-5756
Abstract: Local exploitation of an invalid array indexing vulnerability in the NPF.SYS device driver of WinPcap allows attackers to execute arbitrary code in kernel context.

iDefense Security Advisory 11.12.07
http://labs.idefense.com/intelligence/vulnerabilities/
Nov 12, 2007

I. BACKGROUND

WinPcap is a software package that facilitates real-time link-level network access for Windows-based operating systems. A wide range of open-source projects, including Wireshark, use it. More information is available at the project's web site at the following URL.

http://www.winpcap.org/

II. DESCRIPTION

Local exploitation of an invalid array indexing vulnerability in the NPF.SYS device driver of WinPcap allows attackers to execute arbitrary code in kernel context.

The problem specifically exists within the bpf_filter_init function. In several places throughout this function, values supplied from a potential attacker are used as array indexes without proper bounds checking. By making IOCTL requests with specially chosen values, attackers are able to corrupt the stack, or pool memory, within the kernel.

III. ANALYSIS

Exploitation allows attackers to execute arbitrary code in kernel context.

The vulnerable device driver is loaded when WinPcap is initialized. This driver can be set to load on start-up depending on a choice made at installation time. However, this is not the default setting.

Normally, the device driver is not loaded until an administrator utilizes a WinPcap dependent application. Once they do, it will become accessible to normal users as well. When a program using this driver exits, it is not unloaded. Attackers will continue to have access until the driver is manually unloaded.

If the option to allow normal user access was chosen at installation time, attackers will always have access to this device driver.
Consequently, a local attacker without administrator privileges would have access to sniff, as well as exploit this vulnerability.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in version
4.0.1 of WinPcap as included in Wireshark 0.99.6a. The version of NPF.SYS tested was 4.0.0.901. iDefense suspects older versions to also be vulnerable.

V. WORKAROUND

iDefense is currently unaware of any effective workaround for this issue.

VI. VENDOR RESPONSE

The WinPcap Team has addressed this vulnerability by releasing version
4.0.2 of the WinPcap software. For more information, see the following URL.

http://www.winpcap.org/misc/changelog.htm

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-5756 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

10/30/2007  Initial vendor notification
10/30/2007  Initial vendor response
11/12/2007  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.



 

This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.

The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.

Thu, 15 Nov 2007 00:00:00 GMT
Domain affected: Technical
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |