eEye Research - http://research.eeye.com
Intel Network Adapter Driver Local Privilege Escalation
Release Date:
December 7, 2006
Date Reported:
July 10, 2006
Severity:
Medium (Local Privilege Escalation to Kernel)
Systems Affected:
Windows 2000, XP, 2003, Vista
Intel PRO 10/100 - 8.0.27.0 or previous
Intel PRO/1000 - 8.7.1.0 or previous
Intel PRO/1000 PCI - 9.1.30.0 or previous
Linux
Intel PRO 10/100 - 3.5.14 or previous
Intel PRO/1000 - 7.2.7 or previous
Intel PRO/10GbE - 1.0.109 or previous
UnixWare/SCO6
Intel PRO 10/100 - 4.0.3 or previous
Intel PRO/1000 - 9.0.15 or previous
Overview:
eEye Digital Security has discovered a vulnerability in all Intel
network adapter drivers ("NDIS miniport drivers") that could allow
unprivileged code executing on an affected system to gain unfettered,
kernel-level access. For instance, a malicious user, malware, or
exploit payload taking advantage of an unrelated vulnerability could
additionally exploit this vulnerability in order to completely
compromise a system at the kernel level.
The vulnerability is a simple strcpy-based stack buffer overflow within
the Intel miniport driver, and can be reliably exploited on all versions
of Windows in order to execute arbitrary code.
Technical Details:
Despite the low level occupied by NDIS miniport drivers, it is possible
for unprivileged user-mode code to communicate with them via
NDIS-brokered requests for network adapter statistics. An
IOCTL_NDIS_QUERY_SELECTED_STATS (0x17000E) request made to
"Device{adapterguid}" will cause NDIS.SYS to invoke the
QueryInformationHandler routine registered by the miniport driver in its
call to NdisMRegisterMiniport. The input buffer supplied with this
IOCTL is a list of 32-bit OIDs corresponding to the statistics of
interest, each of which is passed individually to
QueryInformationHandler, which contains the code necessary to retrieve
the statistic and return it in the provided output buffer.
In the case of Intel miniport drivers, certain OID handlers will process
the contents of the output buffer. On Windows 2000, a pointer to the
user-supplied buffer is passed directly to the miniport driver, meaning
this data is under user control. (Windows XP and later passes in a
pointer to a temporary buffer in kernel memory containing undefined
data, which can be controlled by "seeding" pool memory from user-mode
prior to attempting exploitation.)
The handler for OID 0xFF0203FC attempts to copy a string from the output
buffer into a stack variable using essentially the following strcpy
operation:
strcpy(&(var_1D4.sz_62), (char*)InformationBuffer + 4)
Therefore, supplying a 0x17A-character string (at offset +0x0C within
the output buffer, because NDIS uses the first 8 bytes for its own
purposes) will cause the handler function's return address to be
entirely overwritten, allowing execution to be redirected to an
arbitrary user- or kernel-mode address.
Despite vendor sentiment to the contrary, it should be understood that
driver flaws really are and have always been a major threat. Local
exploitation of this vulnerability will result in arbitrary code
execution, providing a level of access that amounts to "the keys to the
kingdom."
Protection:
Retina - Network Security Scanner has been updated to identify this
vulnerability.
Vendor Status:
Intel has released a patch for this vulnerability which is available at
http://support.intel.com/support/network/sb/CS-023726.htm.
Credit:
Derek Soeder
Related Links:
Retina - Network Security Scanner - Free Trial:
http://www.eeye.com/html/products/retina/download/index.html
Blink - Unified Client Security Personal - Free For Home Use:
http://www.eeye.com/html/products/blink/personal/download/index.html
Blink - Unified Client Security Professional - Free Trial:
http://www.eeye.com/html/products/blink/download/index.html
Greetings:
F1: the very best of luck to you. To Gliko and to Mr. and Mrs. Mike:
congrats! cDc for holding the best Vegas party. TA, WC, MF, DKP, DM,
BN, MP, CSam, HTP, RS, SY, and the G in GUI.
Copyright (c) 1998-2006 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically. It is not
to be edited in any way without express consent of eEye. If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email alert (at) eEye (dot) com [email concealed] for permission.
Disclaimer
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are no warranties, implied or express, with regard to this
information. In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information. Any use of this information is at the
user's own risk.