WinPcap allows for privilege escalation
In a security advisory, security service provider iDefense has warned of a vulnerability in a device driver within the open source WinPcap library that local users could exploit to escalate their privileges. Applications such as Wireshark use this library to capture network packets.
npf.sys, the flawed device driver, is loaded when a system administrator launches an application based on WinPcap. However, upon installation the driver can be set up so that Windows loads it every time it boots. Local users can access the driver via an IOCTL interface. In the function bpf_filter_init, however, the software does not check the data transferred by the user that it uses as index values for an array. As a result, injected code could be executed at the level of the kernel.
The flaw affects WinPcap 4.0.1, which is included in the Wireshark 0.99.6a installation package. The developers have remedied the problem in the new version 4.0.2. Administrators who use WinPcap on a multi-user system are advised to download and install the current version of the library as soon as possible.
- WinPcap NPF.SYS bpf_filter_init Arbitrary Array Indexing Vulnerability, iDefense's security advisory
- Download the new version of WinPcap