Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows :: tb10017.htm

Microsoft Windows Ndistapi.sys IRQL escalation



Microsoft Windows Ndistapi.sys IRQL escalation
Microsoft Windows Ndistapi.sys IRQL escalation



MICROSOFT WINDOWS
Ndistapi.sys IRQL escalation

Rub=E9n Santamarta  [Email concealed]
 =09
Affected products:
 Microsoft Windows XP SP2
 Microsoft Windows 2003 Server SP1


Introduction
-------------

NDISTAPI.sys is a kernel-mode component that exposes connectionless
miniport drivers to the TAPI device space. NDISTAPI accepts call setup
and teardown requests from the TAPI service provider and directs such
requests through NDISWAN to the correct miniport driver to set up,
monitor, and tear down lines and calls.

Flaw
-----

 =93\Device\NdisTapi=94  is exposed to unprivileged users. Hence, any
user-mode application can write data to this device.

Let's see:

Ndistapi.sys
Windows XP SP2

_; __stdcall NdisTapiDispatch(x, x)
.text:000115E8 _NdisTapiDispatch@8 proc near           ; DATA XREF:
DriverEntry(x,x)+13E#o
.text:000115E8
.text:000115E8 arg_4           = dword ptr  0Ch
.text:000115E8
.text:000115E8                 push    ebp
.text:000115E9                 mov     ebp, esp
.text:000115EB                 push    ebx
.text:000115EC                 push    esi
.text:000115ED                 mov     esi, [ebp+arg_4]
.text:000115F0                 mov     eax, [esi+60h]
.text:000115F3                 movzx   ecx, byte ptr [eax]
.text:000115F6                 sub     ecx, 0
.text:000115F9                 mov     edx, [esi+0Ch]
.text:000115FC                 mov     ebx, [eax+4]
.text:000115FF                 push    edi
.text:00011600                 mov     edi, [eax+8]
.text:00011603                 jz      short loc_1167E
.text:00011605                 dec     ecx
.text:00011606                 dec     ecx
.text:00011607                 jz      short loc_11674
.text:00011609                 sub     ecx, 0Ch
.text:0001160C                 jnz     loc_11697
.text:00011612                 mov     eax, [eax+0Ch]
.text:00011615                 cmp     eax, 8FFF23C0h  ;IOCTL
.text:0001161A                 jz      short loc_11669 ;DoIoctlConnectWork()
.text:0001161C                 cmp     eax, 8FFF23C8h
.text:00011621                 jz      short loc_1165C
{...}
.text:00010B16 ; __stdcall DoIoctlConnectWork(x, x, x, x)
.text:00010B16 _DoIoctlConnectWork@16 proc near        ; CODE XREF:
NdisTapiDispatch(x,x)+85#p
.text:00010B16
.text:00010B16 arg_0           = dword ptr  4
.text:00010B16 arg_4           = dword ptr  8
.text:00010B16 arg_8           = dword ptr  0Ch
.text:00010B16 arg_C           = dword ptr  10h
.text:00010B16
.text:00010B16                 mov     ecx, _DeviceExtension
.text:00010B1C                 push    edi
.text:00010B1D                 mov     edi,
ds:__imp_@KfAcquireSpinLock@4 ; KfAcquireSpinLock(x)
.text:00010B23                 add     ecx, 4Ch
.text:00010B26                 call    edi ; KfAcquireSpinLock(x) ;contact@reversemode.com 


References:
http://www.microsoft.com/downloads/details.aspx?familyid=95AC1610-C232-4644-B828-C55EEC605D55&displaylang=en 
http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=47 
(PDF)

--
Reversemode
Advanced Reverse Engineering Services
www.reversemode.com 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH