Buffer overflow in Vista's TCP/IP stack
Researchers at Austrian firewall maker phion AG have discovered a local vulnerability in Windows Vista's TCP/IP stack that may be exploited to obtain complete control of the operating system. Phion's security advisory says that calling the Windows [code CreateIpForwardEntry2[/code] API] function with a cunningly chosen parameter causes a kernel memory area to be overwritten, so that the system crashes with the dreaded blue screen. The same effect can reportedly be achieved by issuing the command
route add and inputting a net mask with more than 32 bits as a parameter – evidently this command uses the same Windows function.
A user has to be at least a member of the Network Configuration Operator Group to execute the function but, since the buffer overflow overwrites kernel memory, they might then be able inject code and therefore obtain unrestricted system access. These kind of exploits require access to the local machine and there is no hint yet, that this could be exploited remotely. So the threat is relatively low.
Phion's researchers say they have been able to reproduce the error under the 32-bit and 64-bit versions of Vista Enterprise and Vista Ultimate, so they assume it is also present in other Vista variants. They report that the problem is not rectified by any previously issued security update or by Service Pack 1, but that Windows XP is not affected. According to Phion, Microsoft was notified of the problem in October and plans to fix it in Vista SP2.