Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:20047
HistoryAug 17, 2010 - 12:00 a.m.

Microsoft Windows TCP/IP实现IppSortDestinationAddresses()函数整数溢出漏洞(MS10-058)

2010-08-1700:00:00
Root
www.seebug.org
11

0.0004 Low

EPSS

Percentile

12.7%

JSON

BUGTRAQ ID: 42254
CVE ID: CVE-2010-1893

Microsoft Windows是微软发布的非常流行的操作系统。

Windows系统中TCP/IP实现的IppSortDestinationAddresses()函数在处理SOCKET_ADDRESS_LIST 结构时存在整数溢出漏洞,本地用户可以通过调用WSAIoctl和使用SIO_ADDRESS_LIST_SORT IOCTL破坏内核内存,以系统级权限执行任意代码。

在IppSortDestinationAddresses()函数的开始处存在以下伪代码:

DestinationAddresses = ExAllocatePoolWithTag(NumberOfDestinationAddresses * sizeof(SOCKADDR_IN6));
// sizeof(SOCKADDR_IN6) = 0x1C
NtStatus = IppFlattenAddressList(SocketAddressList, DestinationAddresses);

if (!NT_SUCCESS(NtStatus)) ExFreePoolWithTag(DestinationAddresses);

整数溢出是由IppSortDestinationAddresses()函数和IppFlattenAddressList()函数中的内核域池溢出导致的。以下伪代码仅包含有函数的最重要部分:

NTSTATUS
IppFlattenAddressList(IN PSOCKET_ADDRESS_LIST SocketAddressList,
OUT PSOCKADDR_IN6 FlattenAddressList)
{
PSOCKADDR_IN6 Address;
// […]

for (Index = 0; Index < SocketAddressList->iAddressCount; Index += 1) {
    if (SocketAddressList->Address[Index].iSockaddrLength != sizeof(SOCKADDR_IN6)) return STATUS_INVALID_PARAMETER;

    Address = SocketAddressList->Address[Index].lpSockaddr;

    // Of course, there is a ProbeForRead + __try if the function is called from Userland
    FlattenAddressList[Index] = *Address; // <--- Pool Overflow is occuring here.

    //
    // The following part is important if you want to proceed to the overflow.
    //
    if (FlattenAddressList[Index].sin6_family != AF_INET6) return STATUS_INVALID_PARAMETER;
}
// [...]

}

由于SocketAddressList->iAddressCount会拥有过高的值,循环会继续向内核池拷贝数据,直至sin6_family 与AF_INET6不同或iSockaddrLength与sizeof(SOCKADDR_IN6)不同。在这两种情况下 IppFlattenAddressList()函数都会返回STATUS_INVALID_PARAMETER强制调用程序释放内核池。

sin6_family是SOCKADDR_IN6结构中的第一个字段,在从链表中摘除期间会读取为POOL_HEADER结构的PreviousSize字段,导致较难利用这个漏洞。

Microsoft Windows Vista SP1
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2008
Microsoft Windows 7
厂商补丁:

Microsoft

Microsoft已经为此发布了一个安全公告(MS10-058)以及相应补丁:
MS10-058:Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886)
链接:http://www.microsoft.com/technet/security/bulletin/MS10-058.mspx?pf=true

Related

prion 1
cve 1
nessus 1
securityvulns 2
openvas 2
prion
prion
Integer overflow
2010-08-11 18:47:00
cve
cve
CVE-2010-1893
2010-08-11 18:47:00
nessus
nessus
MS10-058: Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886)
2010-08-11 00:00:00
securityvulns
securityvulns
Microsoft Windows TCP/IP stack security vulnerabilities
2010-08-11 00:00:00
Microsoft Security Bulletin MS10-058 - Important Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886)
2010-08-11 00:00:00
openvas
openvas
Microsoft Windows TCP/IP Privilege Elevation Vulnerabilities (978886)
2010-08-26 00:00:00
Microsoft Windows TCP/IP Privilege Elevation Vulnerabilities (978886)
2010-08-26 00:00:00

0.0004 Low

EPSS

Percentile

12.7%

JSON
Related for SSV:20047
prion1cve1nessus1securityvulns2openvas2