In association with heise online

13 November 2007, 10:27

WinPcap allows for privilege escalation

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

In a security advisory, security service provider iDefense has warned of a vulnerability in a device driver within the open source WinPcap library that local users could exploit to escalate their privileges. Applications such as Wireshark use this library to capture network packets.

npf.sys, the flawed device driver, is loaded when a system administrator launches an application based on WinPcap. However, upon installation the driver can be set up so that Windows loads it every time it boots. Local users can access the driver via an IOCTL interface. In the function bpf_filter_init, however, the software does not check the data transferred by the user that it uses as index values for an array. As a result, injected code could be executed at the level of the kernel.

The flaw affects WinPcap 4.0.1, which is included in the Wireshark 0.99.6a installation package. The developers have remedied the problem in the new version 4.0.2. Administrators who use WinPcap on a multi-user system are advised to download and install the current version of the library as soon as possible.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit