[Winpcap-bugs] Potential vulnerability in WinPCap
Sebastian Gottschalk
seppig_relay at gmx.de
Sat Jun 30 22:44:07 GMT 2007
Dear Sir or Madam,
I found a potential vulnerability in WinPCap 4.0 (latest version).
I used the tool "Static Driver Verifier" from the latest WinDDK with a
modification of the WinPCap build script (which, by itself, took about 36
hours). Analyzing the results carefully, I found an actual bug:
When NPF_IoControl with the IOCTL code "BIOCSETF" on x86 only, at a certain
point BPF_Destroy_JIT_Filter is called to free the buffers associated with a
filter. However, it only checks if the Filter is not NULL, but doesn't check
whether the subfields "mem" and "Function" are not NULL. Calling ExFreePool
on NULL can cause a bugcheck. I'm quite sure that this is an actual bug,
since it's only checked whether the Filter is not NULL, but it's not checked
whether the subfields , and I can't find any code guaranteeing such a
behaviour. In fact, crafting such a malicious Filter structure and calling
the WinPCap driver with it leads to the mentioned bugcheck on Windows XP
(when pool monitoring is enabled) and Windows Server 2003 (whereas it's
enabled by default). Other versions on Windows should be affected as well.
Workaround:
Only start the npf.sys driver on demand as an administrator.
Suggested fix:
In BPF_Destroy_JIT_Filter, check if Filter->mem and Filter->Function are not
NULL before calling ExFreePool on them.
Cincerly,
Sebastian Gottschalk
More information about the Winpcap-bugs
mailing list