EEYE: Intel Network Adapter Driver Local Privilege Escalation Dec 07 2006 11:09PM
eEye Advisories (Advisories eeye com)
eEye Research - http://research.eeye.com

Intel Network Adapter Driver Local Privilege Escalation

Release Date:
December 7, 2006

Date Reported:
July 10, 2006

Medium (Local Privilege Escalation to Kernel)

Systems Affected:
Windows 2000, XP, 2003, Vista
Intel PRO 10/100 - or previous
Intel PRO/1000 - or previous
Intel PRO/1000 PCI - or previous
Intel PRO 10/100 - 3.5.14 or previous
Intel PRO/1000 - 7.2.7 or previous
Intel PRO/10GbE - 1.0.109 or previous
Intel PRO 10/100 - 4.0.3 or previous
Intel PRO/1000 - 9.0.15 or previous

eEye Digital Security has discovered a vulnerability in all Intel
network adapter drivers ("NDIS miniport drivers") that could allow
unprivileged code executing on an affected system to gain unfettered,
kernel-level access. For instance, a malicious user, malware, or
exploit payload taking advantage of an unrelated vulnerability could
additionally exploit this vulnerability in order to completely
compromise a system at the kernel level.

The vulnerability is a simple strcpy-based stack buffer overflow within
the Intel miniport driver, and can be reliably exploited on all versions
of Windows in order to execute arbitrary code.

Technical Details:
Despite the low level occupied by NDIS miniport drivers, it is possible
for unprivileged user-mode code to communicate with them via
NDIS-brokered requests for network adapter statistics. An
IOCTL_NDIS_QUERY_SELECTED_STATS (0x17000E) request made to
"\Device\{adapterguid}" will cause NDIS.SYS to invoke the
QueryInformationHandler routine registered by the miniport driver in its
call to NdisMRegisterMiniport. The input buffer supplied with this
IOCTL is a list of 32-bit OIDs corresponding to the statistics of
interest, each of which is passed individually to
QueryInformationHandler, which contains the code necessary to retrieve
the statistic and return it in the provided output buffer.

In the case of Intel miniport drivers, certain OID handlers will process
the contents of the output buffer. On Windows 2000, a pointer to the
user-supplied buffer is passed directly to the miniport driver, meaning
this data is under user control. (Windows XP and later passes in a
pointer to a temporary buffer in kernel memory containing undefined
data, which can be controlled by "seeding" pool memory from user-mode
prior to attempting exploitation.)

The handler for OID 0xFF0203FC attempts to copy a string from the output
buffer into a stack variable using essentially the following strcpy

strcpy(&(var_1D4.sz_62), (char*)InformationBuffer + 4)

Therefore, supplying a 0x17A-character string (at offset +0x0C within
the output buffer, because NDIS uses the first 8 bytes for its own
purposes) will cause the handler function's return address to be
entirely overwritten, allowing execution to be redirected to an
arbitrary user- or kernel-mode address.

Despite vendor sentiment to the contrary, it should be understood that
driver flaws really are and have always been a major threat. Local
exploitation of this vulnerability will result in arbitrary code
execution, providing a level of access that amounts to "the keys to the

Retina - Network Security Scanner has been updated to identify this

Vendor Status:
Intel has released a patch for this vulnerability which is available at

Derek Soeder

Related Links:
Retina - Network Security Scanner - Free Trial:
Blink - Unified Client Security Personal - Free For Home Use:
Blink - Unified Client Security Professional - Free Trial:

F1: the very best of luck to you. To Gliko and to Mr. and Mrs. Mike:
congrats! cDc for holding the best Vegas party. TA, WC, MF, DKP, DM,
BN, MP, CSam, HTP, RS, SY, and the G in GUI.

Copyright (c) 1998-2006 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically. It is not
to be edited in any way without express consent of eEye. If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email alert (at) eEye (dot) com [email concealed] for permission.

The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are no warranties, implied or express, with regard to this
information. In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information. Any use of this information is at the
user's own risk.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus