|
|
|
|
| |
Credit:
The information has been provided by iDefense Labs Security Advisories.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=625
|
| |
Vulnerable Systems:
* WinPcap version 4.0.1 included in Wireshark version 0.99.6a
* NPF.SYS version 4.0.0.901
Immune Systems:
* WinPcap version 4.0.2
The problem specifically exists within the bpf_filter_init function. In several places throughout this function, values supplied from a potential attacker are used as array indexes without proper bounds checking. By making IOCTL requests with specially chosen values, attackers are able to corrupt the stack, or pool memory, within the kernel.
Analysis:
Exploitation allows attackers to execute arbitrary code in kernel context.
The vulnerable device driver is loaded when WinPcap is initialized. This driver can be set to load on start-up depending on a choice made at installation time. However, this is not the default setting.
Normally, the device driver is not loaded until an administrator utilizes a WinPcap dependent application. Once they do, it will become accessible to normal users as well. When a program using this driver exits, it is not unloaded. Attackers will continue to have access until the driver is manually unloaded.
If the option to allow normal user access was chosen at installation time, attackers will always have access to this device driver. Consequently, a local attacker without administrator privileges would have access to sniff, as well as exploit this vulnerability.
Vendor response:
The WinPcap Team has addressed this vulnerability by releasing version 4.0.2 of the WinPcap software. For more information, see the following URL: http://www.winpcap.org/misc/changelog.htm
CVE Information:
CVE-2007-5756
Disclosure timeline:
10/30/2007 - Initial vendor notification
10/30/2007 - Initial vendor response
11/12/2007 - Coordinated public disclosure
|
|
|
|
|
