eEye Research - http://research.eeye.com Intel Network Adapter Driver Local Privilege Escalation Release Date: December 7, 2006 Date Reported: July 10, 2006 Severity: Medium (Local Privilege Escalation to Kernel) Systems Affected: Windows 2000, XP, 2003, Vista Intel PRO 10/100 - 8.0.27.0 or previous Intel PRO/1000 - 8.7.1.0 or previous Intel PRO/1000 PCI - 9.1.30.0 or previous Linux Intel PRO 10/100 - 3.5.14 or previous Intel PRO/1000 - 7.2.7 or previous Intel PRO/10GbE - 1.0.109 or previous UnixWare/SCO6 Intel PRO 10/100 - 4.0.3 or previous Intel PRO/1000 - 9.0.15 or previous Overview: eEye Digital Security has discovered a vulnerability in all Intel network adapter drivers ("NDIS miniport drivers") that could allow unprivileged code executing on an affected system to gain unfettered, kernel-level access. For instance, a malicious user, malware, or exploit payload taking advantage of an unrelated vulnerability could additionally exploit this vulnerability in order to completely compromise a system at the kernel level. The vulnerability is a simple strcpy-based stack buffer overflow within the Intel miniport driver, and can be reliably exploited on all versions of Windows in order to execute arbitrary code. Technical Details: Despite the low level occupied by NDIS miniport drivers, it is possible for unprivileged user-mode code to communicate with them via NDIS-brokered requests for network adapter statistics. An IOCTL_NDIS_QUERY_SELECTED_STATS (0x17000E) request made to "\Device\{adapterguid}" will cause NDIS.SYS to invoke the QueryInformationHandler routine registered by the miniport driver in its call to NdisMRegisterMiniport. The input buffer supplied with this IOCTL is a list of 32-bit OIDs corresponding to the statistics of interest, each of which is passed individually to QueryInformationHandler, which contains the code necessary to retrieve the statistic and return it in the provided output buffer. In the case of Intel miniport drivers, certain OID handlers will process the contents of the output buffer. On Windows 2000, a pointer to the user-supplied buffer is passed directly to the miniport driver, meaning this data is under user control. (Windows XP and later passes in a pointer to a temporary buffer in kernel memory containing undefined data, which can be controlled by "seeding" pool memory from user-mode prior to attempting exploitation.) The handler for OID 0xFF0203FC attempts to copy a string from the output buffer into a stack variable using essentially the following strcpy operation: strcpy(&(var_1D4.sz_62), (char*)InformationBuffer + 4) Therefore, supplying a 0x17A-character string (at offset +0x0C within the output buffer, because NDIS uses the first 8 bytes for its own purposes) will cause the handler function's return address to be entirely overwritten, allowing execution to be redirected to an arbitrary user- or kernel-mode address. Despite vendor sentiment to the contrary, it should be understood that driver flaws really are and have always been a major threat. Local exploitation of this vulnerability will result in arbitrary code execution, providing a level of access that amounts to "the keys to the kingdom." Protection: Retina - Network Security Scanner has been updated to identify this vulnerability. Vendor Status: Intel has released a patch for this vulnerability which is available at http://support.intel.com/support/network/sb/CS-023726.htm. Credit: Derek Soeder Related Links: Retina - Network Security Scanner - Free Trial: http://www.eeye.com/html/products/retina/download/index.html Blink - Unified Client Security Personal - Free For Home Use: http://www.eeye.com/html/products/blink/personal/download/index.html Blink - Unified Client Security Professional - Free Trial: http://www.eeye.com/html/products/blink/download/index.html Greetings: F1: the very best of luck to you. To Gliko and to Mr. and Mrs. Mike: congrats! cDc for holding the best Vegas party. TA, WC, MF, DKP, DM, BN, MP, CSam, HTP, RS, SY, and the G in GUI. Copyright (c) 1998-2006 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.