July 2007

ID: 155
Ref: 100/2007
Date: 10 July 2007:16:19:45
Version: 1

---

Title: iDefense Security Advisory: WinPcap
Abstract: Description of a WinPcap NPF.SYS Local Privilege Escalation Vulnerability
Vendors affected: Microsoft
Operating systems affected: Microsoft
Applications affected: Microsoft

---

WinPcap NPF.SYS Local Privilege Escalation Vulnerability

iDefense Security Advisory 07.09.07
http://labs.idefense.com/intelligence/vulnerabilities/
Jul 09, 2007

I. BACKGROUND

WinPcap is a software package that facilitates real-time link-level network
access for Windows-based operating systems. It is used by a wide range of
open-source projects including Wireshark. More information is available at the
project web site at the URL shown below.

http://www.winpcap.org/

II. DESCRIPTION

Local exploitation of an input validation vulnerability within the NPF.SYS
device driver of WinPcap allows attackers to execute arbitrary code in kernel
context.

The vulnerability specifically exists due to insufficient input validation
when handling the Interrupt Request Packet (Irp) parameters passed to IOCTL
9031 (BIOCGSTATS). By passing carefully chosen parameters to this IOCTL, an
attacker can overwrite arbitrary kernel memory.

III. ANALYSIS

Exploitation allows attackers to execute arbitrary code in kernel context.

The vulnerable device driver is loaded when WinPcap is initialized. This
driver can be set to load on start-up depending on a choice made at
installation time. This is not the default setting.

In a default installation, the device driver is not loaded until an
Administrator utilizes a WinPcap dependent application. Once they do, it will
become accessible to normal users as well. When a program using this driver
exists, it is not unloaded. Attackers will continue to have access until the
driver is manually unloaded.

If the option to allow normal user access was chosen at installation time,
attackers will always have access to this device driver.
Consequently, a local attacker without administrator privileges would have
access to sniff, as well as exploit this vulnerability.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in version 4.0 of
WinPcap as included in Wireshark 0.99.5. The version of NPF.SYS tested was
4.0.0.755. Older versions are suspected to be vulnerable.

V. WORKAROUND

iDefense is currently unaware of any effective workaround for this issue.

VI. VENDOR RESPONSE

The WinPcap Team has addressed this vulnerability by releasing version
4.0.1 of the WinPcap software. For more information, see the following URL.

http://www.winpcap.org/misc/changelog.htm

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been
assigned yet.

VIII. DISCLOSURE TIMELINE

05/16/2007 Initial vendor notification
05/16/2007 Initial vendor response
07/09/2007 Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Mario Ballano from 48bits.com.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically. It
may not be edited in any way without the express written consent of iDefense.
If you wish to reprint the whole or any part of this alert in any other medium
other than electronically, please e-mail customerservice@idefense.com for
permission.

Disclaimer: The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the author
nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this
information.
___________________________________________________________________________

CPNI wishes to acknowledge the contributions of iDefence for the
information contained in this advisory.
___________________________________________________________________________

This advisory contains information released by the original author. Some of
the information may have changed since it was released. If the issue affects
you, it may be prudent to retrieve the advisory from the site of the original
source to ensure that
you receive the most current
information concerning that problem.

Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply its
endorsement, recommendation, or favouring by CPNI. The views and opinions of
authors expressed within
this notice shall not be used for advertising or product endorsement purposes.

CPNI shall not accept responsibility for any errors or omissions
contained within this advisory. In particular, they shall not be liable for
any loss or damage whatsoever, arising from or in connection with the usage of
information contained within this advisory.

CPNI is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to
incidents, and to promote
information sharing amongst its members and the community at large.
___________________________________________________________________________