<<< Date Index >>>     <<< Thread Index >>>

WinPcap NPF.SYS Privilege Elevation Vulnerability



        WinPcap NPF.SYS Privilege Elevation Vulnerability PoC exploit
        -------------------------------------------------------------

        Affected software: 

        (*) WinPcap versions affected (Confirmed)
        
        - WinPcap 3.1
        - WinPcap 4.1

    (*) Operating systems affected (Confirmed)
        
        - Windows 2000 SP4 (Both server and workstation) 
        - Windows XP   SP2
        - Windows 2003 Server
        - Windows Vista !!

        Description:

        It's a well known issue that WinPcap security model allows 
non-administrator 
        users to use its device driver. If they don't manually unload it after 
using 
        tools such as Wireshark (ethereal), which unfortunatelly oftenly 
happens, this 
        can lead to unwanted network traffic sniffing and now with the help of 
this 
        exploit to kernel mode code execution ;-)       
        
        Remarks:
        
        The exploit code is a PoC and was tested only against Windows XP SP2, 
with minor 
        modifications (delta offsets and changing VirtualAlloc for 
NtAllocVirtualMemory due
        to base address restrictions in Windows Vista ) should work on all OSes 
commented 
        above.

        To test the PoC, just pick any software which uses WinPcap like 
WireShark, then 
        start to sniff in any iface and close it  (so WinPcap device gets up ). 
Run the 
        exploit code (as guest user if you want) you should hit an int 3 in 
kernel mode :-)
                        
        Vulnerability discovered by:
        
        Mario Ballano Bárcena,  mballano[_at_]gmail.com 
        
You can download exploit and analysis at : 
http://www.48bits.com/exploits/npfxpl.c

Best regards, 

Mario