Vulnerabilities > CVE-2007-3681 - Local Privilege Escalation vulnerability in Winpcap 3.1/4.0

047910
CVSS 6.6 - MEDIUM
Attack vector
LOCAL
Attack complexity
MEDIUM
Privileges required
SINGLE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
winpcap
nessus
exploit available
NVD
Published: 2007-07-11
Updated: 2018-10-15

Summary

The IOCTL 9031 (BIOCGSTATS) handler in the NPF.SYS device driver in WinPcap before 4.0.1 allows local users to overwrite memory and execute arbitrary code via malformed Interrupt Request Packet (Irp) parameters.

Vulnerable Configurations

Part Description Count
Application
Winpcap
2

Exploit-Db

descriptionWinPcap 4.0 NPF.SYS Privilege Elevation Vulnerability PoC Exploit. CVE-2007-3681. Local exploit for windows platform
fileexploits/windows/local/4165.c
idEDB-ID:4165
last seen2016-01-31
modified2007-07-10
platformwindows
port
published2007-07-10
reporterMario Ballano Bárcena
sourcehttps://www.exploit-db.com/download/4165/
titleWinPcap 4.0 - NPF.SYS Privilege Elevation Vulnerability PoC Exploit
typelocal

Nessus

NASL familyWindows
NASL idWINPCAP_NPF_SYS_PRIV_ESCALATION.NASL
descriptionWinPcap, a packet capture and filtering engine, is installed on the remote Windows host. The version of WinPcap on the remote host enables a local user to execute arbitrary code in kernel context because it fails to sufficiently sanitize Interrupt Request Packet parameters before passing them to the BIOCGSTATS IOCTL.
last seen2020-06-01
modified2020-06-02
plugin id25684
published2007-07-10
reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/25684
titleWinPcap NPF.SYS Local Privilege Escalation
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
  script_id(25684);
  script_version("1.16");
  script_cvs_date("Date: 2018/11/15 20:50:29");

  script_cve_id("CVE-2007-3681");
  script_bugtraq_id(24829);

  script_name(english:"WinPcap NPF.SYS Local Privilege Escalation");
  script_summary(english:"Checks version of NPF.SYS");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains an application that is prone to a
local privilege escalation vulnerability.");
  script_set_attribute(attribute:"description", value:
"WinPcap, a packet capture and filtering engine, is installed on the
remote Windows host.

The version of WinPcap on the remote host enables a local user to
execute arbitrary code in kernel context because it fails to
sufficiently sanitize Interrupt Request Packet parameters before
passing them to the BIOCGSTATS IOCTL.");
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f7147d8d");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/473223/30/0/threaded" );
  script_set_attribute(attribute:"see_also", value:"https://www.winpcap.org/misc/changelog.htm" );
  script_set_attribute(attribute:"solution", value:"Upgrade to WinPcap version 4.0.1 or later.");
 script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:S/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/07/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/07/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_enum_services.nasl", "smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}


include("smb_func.inc");
include("audit.inc");
include("smb_hotfixes.inc");


if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);


# Connect to the appropriate share.
name    =  kb_smb_name();
port    =  kb_smb_transport();
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();



if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
  NetUseDel();
  exit(0);
}


# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
  NetUseDel();
  exit(0);
}


# Make sure it's installed.
path = NULL;
key = "SOFTWARE\WinPcap";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
  value = RegQueryValue(handle:key_h, item:NULL);
  if (!isnull(value))
  {
    path = value[1];
    path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:path);
  }
  RegCloseKey(handle:key_h);
}
RegCloseKey(handle:hklm);
if (isnull(path))
{
  NetUseDel();
  exit(0);
}
NetUseDel(close:FALSE);


# Grab the file version of the affected file.
winroot = hotfix_get_systemroot();
if (!winroot) exit(1);

share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:winroot);
sys =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\System32\drivers\npf.sys", string:winroot);

rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
  NetUseDel();
  exit(0);
}

fh = CreateFile(
  file:sys,
  desired_access:GENERIC_READ,
  file_attributes:FILE_ATTRIBUTE_NORMAL,
  share_mode:FILE_SHARE_READ,
  create_disposition:OPEN_EXISTING
);
if (!isnull(fh))
{
  ver = GetFileVersion(handle:fh);
  CloseFile(handle:fh);
}
NetUseDel();


# Check the version number.
if (!isnull(ver))
{
  # nb: 4.0.0.901 is the file version from version 4.0.1.
  fix = split("4.0.0.901", sep:'.', keep:FALSE);
  for (i=0; i<4; i++)
    fix[i] = int(fix[i]);

  for (i=0; i<max_index(ver); i++)
    if ((ver[i] < fix[i]))
    {
      security_warning(port);
      break;
    }
    else if (ver[i] > fix[i])
      break;
}

References