It's a well known issue that WinPcap security model allows non-administrator users to use its device driver. If they don't manually unload it after using tools such as Wireshark (ethereal), which unfortunatelly oftenly happens, this can lead to unwanted network traffic sniffing and now with the help of this exploit to kernel mode code execution ;-)
The exploit code is a PoC and was tested only against Windows XP SP2, with minor modifications (delta offsets and changing VirtualAlloc for NtAllocVirtualMemory due to base address restrictions in Windows Vista ) should work on all OSes commented above.
To test the PoC, just pick any software which uses WinPcap like WireShark, then start to sniff in any iface and close it (so WinPcap device gets up). Run the exploit code (as guest user if you want) you should hit an int 3 in kernel mode :-)
Vulnerability discovered by:
Mario Ballano Bárcena, mballano[_at_]gmail.com
http://www.48bits.com/
----------------------------
Moral of the Story - The driver (NPF.sys) used by Winpcap has a local privilege escalation vulnerability. If this is a problem in your environment, upgrade to Winpcap 4.0.1.
No comments:
Post a Comment