[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CPNI INFOSEC ADVISORY - 100/07 - iDefence - WinPcap NPF.SYS Local Privilege Escalation Vulnerability


 CPNI INFOSEC ADVISORY - 100/07 dated 9.07.07 time 14:38

 Centre for the Protection of National Infrastructure

Further details about CPNI, including information about our
products can be  found at www.cpni.gov.uk

iDefense Security Advisory:
WinPcap NPF.SYS Local Privilege Escalation Vulnerability


WinPcap NPF.SYS Local Privilege Escalation Vulnerability

iDefense Security Advisory 07.09.07
Jul 09, 2007


WinPcap is a software package that facilitates real-time link-level network
access for Windows-based operating systems. It is used by a wide range of
open-source projects including Wireshark. More information is available at the
project web site at the URL shown below.



Local exploitation of an input validation vulnerability within the NPF.SYS
device driver of WinPcap allows attackers to execute arbitrary code in kernel

The vulnerability specifically exists due to insufficient input validation
when handling the Interrupt Request Packet (Irp) parameters passed to IOCTL
9031 (BIOCGSTATS). By passing carefully chosen parameters to this IOCTL, an
attacker can overwrite arbitrary kernel memory.


Exploitation allows attackers to execute arbitrary code in kernel context.

The vulnerable device driver is loaded when WinPcap is initialized. This
driver can be set to load on start-up depending on a choice made at
installation time. This is not the default setting.

In a default installation, the device driver is not loaded until an
Administrator utilizes a WinPcap dependent application. Once they do, it will
become accessible to normal users as well. When a program using this driver
exists, it is not unloaded. Attackers will continue to have access until the
driver is manually unloaded.

If the option to allow normal user access was chosen at installation time,
attackers will always have access to this device driver.
Consequently, a local attacker without administrator privileges would have
access to sniff, as well as exploit this vulnerability.


iDefense has confirmed the existence of this vulnerability in version 4.0 of
WinPcap as included in Wireshark 0.99.5. The version of NPF.SYS tested was Older versions are suspected to be vulnerable.


iDefense is currently unaware of any effective workaround for this issue.


The WinPcap Team has addressed this vulnerability by releasing version
4.0.1 of the WinPcap software. For more information, see the following URL.



A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been
assigned yet.


05/16/2007  Initial vendor notification
05/16/2007  Initial vendor response
07/09/2007  Coordinated public disclosure


This vulnerability was reported to iDefense by Mario Ballano from 48bits.com.

Get paid for vulnerability research

Free tools, research and upcoming events http://labs.idefense.com/


Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically. It
may not be edited in any way without the express written consent of iDefense.
If you wish to reprint the whole or any part of this alert in any other medium
other than electronically, please e-mail customerservice@xxxxxxxxxxxx for

Disclaimer: The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the author
nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this


For additional information or assistance, please contact our
help desk by telephone.

You may send Not Protectively Marked information via e-mail
to infosec@xxxxxxxxxxxxxxxx

Office hours:

Mon - Fri: 09:00 - 16:30 hours
Tel: +44 (0) 870 487 0748 and follow the voice prompts
Fax: +44 (0) 870 487 0749

On-call duty officer outside office hours:
Tel: +44 (0) 870 487 0748 and follow the voice prompts


CPNI wishes to acknowledge the contributions of iDefence for the
information contained in this advisory.

This advisory contains information released by the original author. Some of
the information may have changed since it was released. If the issue affects
you, it may be prudent to retrieve the advisory from the site of the original
source to ensure that
you receive the most current
information concerning that problem.

Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply its
endorsement, recommendation, or favouring by CPNI. The views and opinions of
authors expressed within
this notice shall not be used for advertising or product endorsement purposes.

CPNI shall not accept responsibility for any errors or omissions
contained within this advisory. In particular, they shall not be liable for
any loss or damage whatsoever, arising from or in connection with the usage of
information contained within this advisory.

CPNI is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to
incidents, and to promote
information sharing amongst its members and the community at large.

This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email