AOH :: HP Unsorted W :: TB11550.HTM

WinPcap NPF.SYS Privilege Elevation Vulnerability



WinPcap NPF.SYS Privilege Elevation Vulnerability
WinPcap NPF.SYS Privilege Elevation Vulnerability



	WinPcap NPF.SYS Privilege Elevation Vulnerability PoC exploit
	-------------------------------------------------------------

	Affected software: 

	(*) WinPcap versions affected (Confirmed)
=09
	- WinPcap 3.1
	- WinPcap 4.1

    (*) Operating systems affected (Confirmed)
=09
	- Windows 2000 SP4 (Both server and workstation) 
	- Windows XP   SP2
	- Windows 2003 Server
	- Windows Vista !!

	Description:

	It's a well known issue that WinPcap security model allows non-administrator 
	users to use its device driver. If they don't manually unload it after using 
	tools such as Wireshark (ethereal), which unfortunatelly oftenly happens, this 
	can lead to unwanted network traffic sniffing and now with the help of this 
	exploit to kernel mode code execution ;-)=09
=09
	Remarks:
=09
	The exploit code is a PoC and was tested only against Windows XP SP2, with minor 
	modifications (delta offsets and changing VirtualAlloc for NtAllocVirtualMemory due
	to base address restrictions in Windows Vista ) should work on all OSes commented 
	above.

	To test the PoC, just pick any software which uses WinPcap like WireShark, then 
	start to sniff in any iface and close it  (so WinPcap device gets up ). Run the 
	exploit code (as guest user if you want) you should hit an int 3 in kernel mode :-)
		=09
	Vulnerability discovered by:
=09
	Mario Ballano B=E1rcena,  mballano[_at_]gmail.com 
=09
You can download exploit and analysis at : http://www.48bits.com/exploits/npfxpl.c 

Best regards, 

Mario

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.