Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.WINPCAP_NPF_BPF_FILTER_INIT.NASL
HistoryNov 13, 2007 - 12:00 a.m.

WinPcap NPF.SYS bpf_filter_init Arbitrary Array Indexing Local Privilege Escalation

2007-11-1300:00:00
This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
www.tenable.com
10
JSON

WinPcap, a packet capture and filtering engine, is installed on the remote Windows host.

The version of WinPcap on the remote host enables a local user to execute arbitrary code in kernel context because it fails to validate array indices passed to the ‘bpf_filter_init()’ function via specially crafted IOCTL requests.

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
  script_id(28182);
  script_version("1.16");
  script_cvs_date("Date: 2018/11/15 20:50:29");

  script_cve_id("CVE-2007-5756");
  script_bugtraq_id(26409);

  script_name(english:"WinPcap NPF.SYS bpf_filter_init Arbitrary Array Indexing Local Privilege Escalation");
  script_summary(english:"Checks version of NPF.SYS");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains an application that is prone to a
local privilege escalation vulnerability.");
  script_set_attribute(attribute:"description", value:
"WinPcap, a packet capture and filtering engine, is installed on the
remote Windows host.

The version of WinPcap on the remote host enables a local user to
execute arbitrary code in kernel context because it fails to validate
array indices passed to the 'bpf_filter_init()' function via specially
crafted IOCTL requests.");
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?59d8c4d1");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/483581/30/0/threaded" );
  script_set_attribute(attribute:"see_also", value:"https://www.winpcap.org/misc/changelog.htm" );
  script_set_attribute(attribute:"solution", value:"Upgrade to WinPcap version 4.0.2 or later.");
 script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(119);

  script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_enum_services.nasl", "smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}


include("smb_func.inc");
include("audit.inc");
include("smb_hotfixes.inc");


if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);


# Connect to the appropriate share.
name    =  kb_smb_name();
port    =  kb_smb_transport();
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();



if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
  NetUseDel();
  exit(0);
}


# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
  NetUseDel();
  exit(0);
}


# Make sure it's installed.
path = NULL;

key = "SOFTWARE\WinPcap";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
  value = RegQueryValue(handle:key_h, item:NULL);
  if (!isnull(value))
  {
    path = value[1];
    path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:path);
  }
  RegCloseKey(handle:key_h);
}
RegCloseKey(handle:hklm);
if (isnull(path))
{
  NetUseDel();
  exit(0);
}
NetUseDel(close:FALSE);


# Grab the file version of the affected file.
winroot = hotfix_get_systemroot();
if (!winroot) exit(1);

share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:winroot);
sys =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\System32\drivers\npf.sys", string:winroot);

rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
  NetUseDel();
  exit(0);
}

fh = CreateFile(
  file:sys,
  desired_access:GENERIC_READ,
  file_attributes:FILE_ATTRIBUTE_NORMAL,
  share_mode:FILE_SHARE_READ,
  create_disposition:OPEN_EXISTING
);

ver = NULL;
if (!isnull(fh))
{
  ver = GetFileVersion(handle:fh);
  CloseFile(handle:fh);
}
NetUseDel();


# Check the version number.
if (!isnull(ver))
{
  # nb: 4.0.0.1040 is the file version from version 4.0.2.
  fix = split("4.0.0.1040", sep:'.', keep:FALSE);
  for (i=0; i<4; i++)
    fix[i] = int(fix[i]);

  for (i=0; i<max_index(ver); i++)
    if ((ver[i] < fix[i]))
    {
      security_warning(port);
      break;
    }
    else if (ver[i] > fix[i])
      break;
}

Related

securityvulns 2
kaspersky 1
seebug 1
cve 1
prion 1
cvelist 1
securityvulns
securityvulns
WinPcap driver array overflow
2007-11-14 00:00:00
iDefense Security Advisory 11.12.07: WinPcap NPF.SYS bpf_filter_init Arbitrary Array Indexing Vulnerability
2007-11-14 00:00:00
kaspersky
kaspersky
KLA10395 LPE vulnerability in WinPcap
2007-11-13 00:00:00
seebug
seebug
WinPcap NPF.SYS bpf_filter_init函数本地权限提升漏洞
2007-11-14 00:00:00
cve
cve
CVE-2007-5756
2007-11-14 01:46:00
prion
prion
Code injection
2007-11-14 01:46:00
cvelist
cvelist
CVE-2007-5756
2007-11-14 01:00:00
JSON
Related for WINPCAP_NPF_BPF_FILTER_INIT.NASL
securityvulns2kaspersky1seebug1cve1prion1cvelist1