Microsoft Windows NDISTAPI.sys Permission Weakness Local DoS
2007-03-19T08:34:06
ID OSVDB:33628 Type osvdb Reporter Rubén Santamarta(ruben@reversemode.com) Modified 2007-03-19T08:34:06
Description
Vulnerability Description
Microsoft Windows contains a flaw that may allow a local denial of service. The issue is caused due to weak permissions in "ndistapi.sys" allowing user-mode applications write to "Device\NdisTapi". A local attacker can exploit this by sending arbitrary data resulting in a loss of availability.
Solution Description
Currently, there are no known upgrades, patches, or workarounds available to correct this issue. However it seems that Microsoft has corrected this issue for Windows 2003 Server within the release of Service Pack 2.
Short Description
Microsoft Windows contains a flaw that may allow a local denial of service. The issue is caused due to weak permissions in "ndistapi.sys" allowing user-mode applications write to "Device\NdisTapi". A local attacker can exploit this by sending arbitrary data resulting in a loss of availability.
References:
Secunia Advisory ID:24598
Other Advisory URL: http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=47
Other Advisory URL: http://www.securiteam.com/windowsntfocus/5OP0P0AKUA.html
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-03/0261.html
ISS X-Force ID: 33086
FrSIRT Advisory: ADV-2007-1031
CVE-2007-1537
Bugtraq ID: 23025
{"href": "https://vulners.com/osvdb/OSVDB:33628", "history": [], "id": "OSVDB:33628", "reporter": "Rub\u00e9n Santamarta(ruben@reversemode.com)", "published": "2007-03-19T08:34:06", "description": "## Vulnerability Description\nMicrosoft Windows contains a flaw that may allow a local denial of service. The issue is caused due to weak permissions in \"ndistapi.sys\" allowing user-mode applications write to \"Device\\NdisTapi\". A local attacker can exploit this by sending arbitrary data resulting in a loss of availability.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue. However it seems that Microsoft has corrected this issue for Windows 2003 Server within the release of Service Pack 2.\n## Short Description\nMicrosoft Windows contains a flaw that may allow a local denial of service. The issue is caused due to weak permissions in \"ndistapi.sys\" allowing user-mode applications write to \"Device\\NdisTapi\". A local attacker can exploit this by sending arbitrary data resulting in a loss of availability.\n## References:\n[Secunia Advisory ID:24598](https://secuniaresearch.flexerasoftware.com/advisories/24598/)\nOther Advisory URL: http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=47\nOther Advisory URL: http://www.securiteam.com/windowsntfocus/5OP0P0AKUA.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-03/0261.html\nISS X-Force ID: 33086\nFrSIRT Advisory: ADV-2007-1031\n[CVE-2007-1537](https://vulners.com/cve/CVE-2007-1537)\nBugtraq ID: 23025\n", "title": "Microsoft Windows NDISTAPI.sys Permission Weakness Local DoS", "lastseen": "2017-04-28T13:20:29", "bulletinFamily": "software", "type": "osvdb", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "hash": "a3b435a73da2a7bf6858a49f791f3b2f2cabb13dcb9879834d933d14977338c8", "references": [], "edition": 1, "cvelist": ["CVE-2007-1537"], "affectedSoftware": [{"name": "Windows XP", "operator": "eq", "version": "SP2"}, {"name": "Windows 2003 Server", "operator": "eq", "version": "SP1"}], "viewCount": 0, "enchantments": {"score": {"value": 5.1, "vector": "NONE", "modified": "2017-04-28T13:20:29"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-1537"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7435"]}, {"type": "nessus", "idList": ["SERVICE_PACK_NOT_INSTALLED.NASL"]}], "modified": "2017-04-28T13:20:29"}, "vulnersScore": 5.1}, "hashmap": [{"key": "affectedSoftware", "hash": "4146d01cc54b6d80e63587f6692cf8ed"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "dcfd55f1ad3003ceb2afe54f1d04c66a"}, {"key": "cvss", "hash": "4c27986c5f735976aede5cb5192642bb"}, {"key": "description", "hash": "0ba518776d529c6003647b176f781bde"}, {"key": "href", "hash": "ed19f6cabf404916f003a63742427b2f"}, {"key": "modified", "hash": "e937a0fc7e09e9ce916ce66ba7389066"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "e937a0fc7e09e9ce916ce66ba7389066"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "acc6d9d4f55d2fc7716db1223abc5678"}, {"key": "title", "hash": "8ee70a230b9b045af4147bfb6eaf905c"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "objectVersion": "1.2", "modified": "2007-03-19T08:34:06"}
{"cve": [{"lastseen": "2019-05-29T18:08:59", "bulletinFamily": "NVD", "description": "\\Device\\NdisTapi (NDISTAPI.sys) in Microsoft Windows XP SP2 and 2003 SP1 uses weak permissions, which allows local users to write to the device and cause a denial of service, as demonstrated by using an IRQL to acquire a spinlock on paged memory via the NdisTapiDispatch function.", "modified": "2018-10-16T16:39:00", "id": "CVE-2007-1537", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1537", "published": "2007-03-20T22:19:00", "title": "CVE-2007-1537", "type": "cve", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:24", "bulletinFamily": "software", "description": "During exceptions handling on \Device\NdisTapi device request handling URQL is not returned from DISPATCH level on switching to user mode, leading to crash (BSOD) with IRQL_LESS_THAN_NOT_EQUAL on accessing paged memory.", "modified": "2007-03-19T00:00:00", "published": "2007-03-19T00:00:00", "id": "SECURITYVULNS:VULN:7435", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7435", "title": "Microsoft Windows NDISTAPI DoS", "type": "securityvulns", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-11-23T12:31:11", "bulletinFamily": "scanner", "description": "The remote version of Microsoft Windows has no service pack or the one\ninstalled is no longer supported. As a result, it is likely to contain\nsecurity vulnerabilities.", "modified": "2019-11-02T00:00:00", "id": "SERVICE_PACK_NOT_INSTALLED.NASL", "href": "https://www.tenable.com/plugins/nessus/26921", "published": "2007-10-05T00:00:00", "title": "Windows Service Pack Out-of-Date", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(26921);\n script_version(\"1.38\");\n script_cvs_date(\"Date: 2019/11/22\");\n\n script_cve_id(\n \"CVE-1999-0662\",\n \"CVE-2003-0350\",\n \"CVE-2003-0507\",\n \"CVE-2007-1537\"\n );\n script_bugtraq_id(\n 7930,\n 8090,\n 8128,\n 8154,\n 10897,\n 11202,\n 12969,\n 12972,\n 13008,\n 23025\n );\n\n script_name(english:\"Windows Service Pack Out-of-Date\");\n script_summary(english:\"Determines the remote SP.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote system is not up to date.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote version of Microsoft Windows has no service pack or the one\ninstalled is no longer supported. As a result, it is likely to contain\nsecurity vulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/lifecycle\");\n script_set_attribute(attribute:\"solution\", value:\n\"Install the latest service pack.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/07/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/10/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"asset_inventory\", value:\"True\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\n \"smb_reg_service_pack.nasl\", \"smb_reg_service_pack_W2K.nasl\",\n \"smb_reg_service_pack_XP.nasl\", \"smb_reg_service_pack_W2003.nasl\",\n \"smb_reg_service_pack_vista.nasl\", \"smb_reg_service_pack_win7.nasl\",\n \"smb_reg_service_pack_win8.nasl\", \"smb_reg_service_pack_win8_1.nasl\",\n \"os_fingerprint.nasl\"\n );\n script_exclude_keys(\"SMB/not_windows\");\n script_require_keys(\"SMB/WindowsVersion\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\n\nif (get_kb_item(\"SMB/not_windows\")) audit(AUDIT_OS_NOT, \"Windows\");\n\n\nwin_sp[\"4.0\"] = \"6a\";\nwin_sp[\"5.0\"] = \"4\";\nwin_sp[\"5.1\"] = \"3\";\nwin_sp[\"5.2\"] = \"2\";\nwin_sp[\"6.0\"] = \"2\";\nwin_sp[\"6.1\"] = \"1\";\nwin_sp[\"6.2\"] = \"0\";\nwin_sp[\"6.3\"] = \"0\";\n\nwin_min_sp[\"4.0\"] = \"6a\";\nwin_min_sp[\"5.0\"] = \"4\";\nwin_min_sp[\"5.1\"] = \"3\";\nwin_min_sp[\"5.2\"] = \"2\";\nwin_min_sp[\"6.0\"] = \"2\";\nwin_min_sp[\"6.1\"] = \"1\";\nwin_min_sp[\"6.2\"] = \"0\";\nwin_min_sp[\"6.3\"] = \"0\";\n\nreport = NULL;\n\nwin = get_kb_item(\"SMB/WindowsVersion\");\nif (win)\n{\n port = get_kb_item(\"SMB/transport\");\n if(!port)port = 445;\n\n sp = get_kb_item(\"SMB/CSDVersion\");\n\nos = get_kb_item_or_exit(\"Host/OS\");\nif (\"Windows\" >!< os)\n audit(AUDIT_HOST_NOT, \"Windows\");\n\n if (!sp)\n sp = \"Service Pack 0\";\n\n vers = ereg_replace(pattern:\"^.*(Service Pack|Szervizcsomag) (.*)$\", string:sp, replace:\"\\2\");\n if (int(vers) < int(win_min_sp[win]))\n report = sp;\n\n if (report)\n {\n report = string (\"\\n\",\n\t\t\"The remote Windows \", win, \" system has \", report , \" applied.\\n\",\n\t\t\"The system should have Service Pack \", win_sp[win], \" installed.\");\n\n security_hole(extra:report, port:port);\n } else exit(0, \"The remote Windows install has the recommended service pack installed.\");\n} else exit(0, \"The 'SMB/WindowsVersion' KB item is missing.\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
