[Winpcap-bugs] security vulnerabilities in WinPCap npf.sys driver
Gianluca Varenni
gianluca.varenni at cacetech.com
Fri Feb 22 22:26:24 GMT 2008
----- Original Message -----
From: "Sebastian Gottschalk" <seppig_relay at gmx.de>
To: <winpcap-bugs at winpcap.org>
Sent: Saturday, February 09, 2008 3:35 PM
Subject: [Winpcap-bugs] security vulnerabilities in WinPCap npf.sys driver
> Dear Sir or Madam,
>
> I recently contacted you about some security vulnerabilities in WinPCap. I
> investigated further and found of lot of other vulnerabilities:
>
> The dipatcher for the IOCTL codes
> BIOCSMODE, BIOCISETLOBBEH, BIOCSETEVENTHANDLE, BIOCSRTIMEOUT,
> BIOCSWRITEREP, BIOCSMINTOCOPY, BIOCSETOID and BIOCQUERYOID all read from
> AssociatedIrp->SystemBuffer. For BIOCSETF it reads this buffer by
> assigning it to Open->bpfprogram, and even writes to this buffer. For
> BIOCSENDPACKETSNOSYNC is uses NPF_BufferedWrite to write to the buffer.
> There's absolutely no validation for:
> - if the buffer's memory is mapped
> - the buffer is readable and/or writable
> - is in usermode memory
> - belongs to the application
>
> so it leads to Denial of Service, information disclosure and privilege
> escalation.
>
> In my last eMail I already pointed how code does perform sufficient checks
> in such cases.
BIOCSMODE: it uses METHOD_BUFFERED. No need to validate the user buffer, as
it's a system buffer. You just need to validate that the buffer is large
enough before reading from it.
BIOCSETEVENTHANDLE: same as BIOCSETMODE
BIOCSRTIMEOUT: same as BIOCSETMODE
BIOCSETOID: same as BIOCSETMODE
BIOCQUERYOID: same as BIOCSETMODE
BIOCISETLOBBEH: it uses METHOD_OUT_DIRECT (which is wrong, it should have
been METHOD_BUFFERED). When method_xx_direct is used, the I/O manager uses a
temp buffer for the data from user mode to kernel mode, exactly like
METHOD_BUFFERED. So again you do not need to validate the input user buffer
(because it's already done by the I/O manager).
BIOCSWRITEREP uses METHOD_IN_DIRECT. Same as BIOCISETLOBBEH, the user
input buffer gets validated by the I/O manager and copied into a new buffer
provided by the I/O manager.
BIOCSMINTOCOPY same as BIOCISETLOBBEH
Have a nice day
GV
>
>
> Sincerely,
> Sebastian Gottschalk
> _______________________________________________
> Winpcap-bugs mailing list
> Winpcap-bugs at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-bugs
More information about the Winpcap-bugs
mailing list