[Winpcap-bugs] Potential vulnerability in WinPCap

Gianluca Varenni gianluca.varenni at cacetech.com
Tue Jul 3 18:37:42 GMT 2007 

Sebastian,

thanks for the report!

First of all, I should mention that a new version of WinPcap (actually two, 
4.0.1 and 4.1 beta) are coming out today, so they won't contain the fix. The 
builds were ready last week and we cannot delay them again...

Regarding the specific security issue, you are probably right. From your 
mail it looks like you already created an application that exploits the 
security vulnerability. Can you please send it to me? I will look at the 
specific code in the next week or so.

Out of curiosity, is there a specific reason why you are running PFD and SDV 
on npf.sys? Is it for some security research?

Have a nice day and thanks again for the security report!

GV





----- Original Message ----- 
From: "Sebastian Gottschalk" <seppig_relay at gmx.de>
To: <winpcap-bugs at winpcap.org>
Sent: Saturday, June 30, 2007 3:44 PM
Subject: [Winpcap-bugs] Potential vulnerability in WinPCap


> Dear Sir or Madam,
>
> I found a potential vulnerability in WinPCap 4.0 (latest version).
>
> I used the tool "Static Driver Verifier" from the latest WinDDK with a
> modification of the WinPCap build script (which, by itself, took about 36
> hours). Analyzing the results carefully, I found an actual bug:
>
> When NPF_IoControl with the IOCTL code "BIOCSETF" on x86 only, at a 
> certain
> point BPF_Destroy_JIT_Filter is called to free the buffers associated with 
> a
> filter. However, it only checks if the Filter is not NULL, but doesn't 
> check
> whether the subfields "mem" and "Function" are not NULL. Calling 
> ExFreePool
> on NULL can cause a bugcheck. I'm quite sure that this is an actual bug,
> since it's only checked whether the Filter is not NULL, but it's not 
> checked
> whether the subfields , and I can't find any code guaranteeing such a
> behaviour. In fact, crafting such a malicious Filter structure and calling
> the WinPCap driver with it leads to the mentioned bugcheck on Windows XP
> (when pool monitoring is enabled) and Windows Server 2003 (whereas it's
> enabled by default). Other versions on Windows should be affected as well.
>
> Workaround:
>
> Only start the npf.sys driver on demand as an administrator.
>
> Suggested fix:
>
> In BPF_Destroy_JIT_Filter, check if Filter->mem and Filter->Function are 
> not
> NULL before calling ExFreePool on them.
>
>
> Cincerly,
> Sebastian Gottschalk
> _______________________________________________
> Winpcap-bugs mailing list
> Winpcap-bugs at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-bugs

More information about the Winpcap-bugs mailing list