[Winpcap-bugs] security vulnerabilities in WinPCap npf.sys driver
Sebastian Gottschalk
seppig_relay at gmx.de
Sat Feb 9 23:35:05 GMT 2008
Dear Sir or Madam,
I recently contacted you about some security vulnerabilities in WinPCap. I
investigated further and found of lot of other vulnerabilities:
The dipatcher for the IOCTL codes
BIOCSMODE, BIOCISETLOBBEH, BIOCSETEVENTHANDLE, BIOCSRTIMEOUT, BIOCSWRITEREP,
BIOCSMINTOCOPY, BIOCSETOID and BIOCQUERYOID all read from
AssociatedIrp->SystemBuffer. For BIOCSETF it reads this buffer by assigning
it to Open->bpfprogram, and even writes to this buffer. For
BIOCSENDPACKETSNOSYNC is uses NPF_BufferedWrite to write to the buffer.
There's absolutely no validation for:
- if the buffer's memory is mapped
- the buffer is readable and/or writable
- is in usermode memory
- belongs to the application
so it leads to Denial of Service, information disclosure and privilege
escalation.
In my last eMail I already pointed how code does perform sufficient checks
in such cases.
Sincerely,
Sebastian Gottschalk
More information about the Winpcap-bugs
mailing list