Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Npcap 0.992 Pool Corruption #308

Closed
r0t0tiller opened this issue Apr 22, 2019 · 4 comments
Closed

Npcap 0.992 Pool Corruption #308

r0t0tiller opened this issue Apr 22, 2019 · 4 comments
Labels
bug security Possibly security-relevant

Comments

@r0t0tiller
Copy link

Description:

Sending a malformed .pcap with npcap loopback adapter causes kernel pool corruption.

Analysis:

When sending a malformed .pcap file with the npcap loopback adapter using either pcap_sendqueue_queue() or pcap_sendqueue_transmit() results in kernel pool corruption. This vulnerability could lead to arbitrary code executing inside the Windows kernel and allow elevation of privileges.

Version: npcap 0.992

Tested on: Windows 10 x64

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 0000000000000007, Attempt to free pool which was already freed
Arg2: 0000000041414141, Pool tag value from the pool header
Arg3: 0000000041414141, Contents of the first 4 bytes of the pool header
Arg4: ffff9a06cec76010, Address of the block of pool being deallocated

Debugging Details:
------------------

*** ERROR: Module load completed but symbols could not be loaded for npcap.sys
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for packet.dll - 

DUMP_CLASS: 1

DUMP_QUALIFIER: 0

BUILD_VERSION_STRING:  17134.1.amd64fre.rs4_release.180410-1804

DUMP_TYPE:  0

BUGCHECK_P1: 7

BUGCHECK_P2: 41414141

BUGCHECK_P3: 41414141

BUGCHECK_P4: ffff9a06cec76010

POOL_ADDRESS:  ffff9a06cec76010 Nonpaged pool

FREED_POOL_TAG:  Io  

BUGCHECK_STR:  0xc2_7_Io  

CPU_COUNT: 2

CPU_MHZ: c17

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 9e

CPU_STEPPING: 9

CPU_MICROCODE: 6,9e,9,0 (F,M,S,R)  SIG: 9A'00000000 (cache) 9A'00000000 (init)

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

PROCESS_NAME:  sendcap.exe

CURRENT_IRQL:  0

ANALYSIS_SESSION_HOST:  DESKTOP-GKGKQ49

ANALYSIS_SESSION_TIME:  04-22-2019 13:36:53.0392

ANALYSIS_VERSION: 10.0.15063.468 amd64fre

LAST_CONTROL_TRANSFER:  from fffff800b3c5b3b2 to fffff800b3bc9cd0

STACK_TEXT:  
ffff890c`5d3eed38 fffff800`b3c5b3b2 : 00000000`00000007 ffff9a06`cecc1700 ffff890c`5d3eeea0 fffff800`b3b64640 : nt!DbgBreakPointWithStatus
ffff890c`5d3eed40 fffff800`b3c5abc2 : 00000000`00000003 ffff890c`5d3eeea0 fffff800`b3bd5370 00000000`000000c2 : nt!KiBugCheckDebugBreak+0x12
ffff890c`5d3eeda0 fffff800`b3bc21a7 : 00000000`00001001 00000000`00000fff ffff9a06`cec76000 fffff800`b3dfb8c8 : nt!KeBugCheck2+0x962
ffff890c`5d3ef4c0 fffff800`b3d0403c : 00000000`000000c2 00000000`00000007 00000000`41414141 00000000`41414141 : nt!KeBugCheckEx+0x107
ffff890c`5d3ef500 fffff800`01aa74c2 : ffff9a06`ce4331b0 00000000`00000000 00000000`00000000 00000000`00000000 : nt!ExFreePoolWithTag+0xfdc
ffff890c`5d3ef5e0 fffff800`01aa7567 : ffff9a06`cf17d000 00000001`700e6e3f ffff9a06`ce433030 ffff9a06`cec80000 : npcap+0x74c2
ffff890c`5d3ef620 fffff800`01aa7303 : 00000000`00000000 00000000`00004151 00000001`700e6e3f ffff9a06`cd62df40 : npcap+0x7567
ffff890c`5d3ef660 fffff800`01aa4c20 : ffff9a06`41414141 ffff9a06`cec76000 00000000`00004151 00000000`20206f01 : npcap+0x7303
ffff890c`5d3ef6f0 fffff800`b3ab0e69 : 7fffffff`ffffffff ffff9a06`ce6e1ce0 ffffc107`03f19b00 00000000`00000000 : npcap+0x4c20
ffff890c`5d3ef780 fffff800`b3f14fdb : ffff9a06`ce6e1ce0 ffff890c`5d3efb00 00000000`00000001 00000000`00000001 : nt!IofCallDriver+0x59
ffff890c`5d3ef7c0 fffff800`b3f1468a : ffff9a06`00000000 ffff9a06`ce6e1ce0 00000000`20206f49 ffff890c`5d3efb00 : nt!IopSynchronousServiceTail+0x1ab
ffff890c`5d3ef870 fffff800`b3f14e16 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x68a
ffff890c`5d3ef9a0 fffff800`b3bd2743 : ffffffff`ffffffff 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtDeviceIoControlFile+0x56
ffff890c`5d3efa10 00007ffc`ca5daa84 : 00007ffc`c6f22766 0000002c`8613f288 000001a9`47bf4907 00000000`00000300 : nt!KiSystemServiceCopyEnd+0x13
0000002c`8613f268 00007ffc`c6f22766 : 0000002c`8613f288 000001a9`47bf4907 00000000`00000300 00007ffc`c2b57000 : ntdll!NtDeviceIoControlFile+0x14
0000002c`8613f270 00007ffc`ca273d30 : 00000000`00002349 0000002c`8613f3d0 00000000`00000000 00000000`0e08090f : KERNELBASE!DeviceIoControl+0x66
0000002c`8613f2e0 00007ffc`c08a590e : 00000000`00000001 000001a9`47b60000 00000000`00000001 00000000`00004151 : KERNEL32!DeviceIoControlImplementation+0x80
0000002c`8613f330 00000000`00000001 : 000001a9`47b60000 00000000`00000001 00000000`00004151 00000000`00000000 : packet!PacketSendPackets+0x9e
0000002c`8613f338 000001a9`47b60000 : 00000000`00000001 00000000`00004151 00000000`00000000 00007ff7`00000000 : 0x1
0000002c`8613f340 00000000`00000001 : 00000000`00004151 00000000`00000000 00007ff7`00000000 0000002c`8613f3c0 : 0x000001a9`47b60000
0000002c`8613f348 00000000`00004151 : 00000000`00000000 00007ff7`00000000 0000002c`8613f3c0 00000000`00000000 : 0x1
0000002c`8613f350 00000000`00000000 : 00007ff7`00000000 0000002c`8613f3c0 00000000`00000000 00007ffc`41414141 : 0x4151


STACK_COMMAND:  kb

THREAD_SHA1_HASH_MOD_FUNC:  3c3db5995b3b55f2f710f69a612d06588d6426a4

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  991f0dec4d44ad1be3f0a78451fb3ad25e1bd414

THREAD_SHA1_HASH_MOD:  80914d1d00133981a17222c311fe04dae91f19dd

FOLLOWUP_IP: 
npcap+74c2
fffff800`01aa74c2 488bce          mov     rcx,rsi

FAULT_INSTR_CODE:  e8ce8b48

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  npcap+74c2

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: npcap

IMAGE_NAME:  npcap.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  5c96fdc2

BUCKET_ID_FUNC_OFFSET:  74c2

FAILURE_BUCKET_ID:  0xc2_7_Io___npcap!unknown_function

BUCKET_ID:  0xc2_7_Io___npcap!unknown_function

PRIMARY_PROBLEM_CLASS:  0xc2_7_Io___npcap!unknown_function

TARGET_TIME:  2019-04-22T20:35:53.000Z

OSBUILD:  17134

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  2018-12-31 22:44:13

BUILDDATESTAMP_STR:  180410-1804

BUILDLAB_STR:  rs4_release

BUILDOSVER_STR:  10.0.17134.1.amd64fre.rs4_release.180410-1804

ANALYSIS_SESSION_ELAPSED_TIME:  1b8ac

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0xc2_7_io___npcap!unknown_function

FAILURE_ID_HASH:  {a549c0e9-3c86-19de-155c-ee3efa1cfcf1}

Followup:     MachineOwner
---------

0: kd> db ffff9a06cec76010
ffff9a06`cec76010  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
ffff9a06`cec76020  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
ffff9a06`cec76030  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
ffff9a06`cec76040  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
ffff9a06`cec76050  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
ffff9a06`cec76060  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
ffff9a06`cec76070  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
ffff9a06`cec76080  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0: kd> !pool ffff9a06cec76010
Pool page ffff9a06cec76010 region is Nonpaged pool
*ffff9a06cec76000 : large page allocation, tag is Io  , size is 0x4160 bytes
		Pooltag Io   : general IO allocations, Binary : nt!io
0: kd> db ffff9a06cec76000 
ffff9a06`cec76000  41 41 41 41 41 41 41 41-41 41 00 00 5a 02 00 00  AAAAAAAAAA..Z...
ffff9a06`cec76010  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
ffff9a06`cec76020  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
ffff9a06`cec76030  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
ffff9a06`cec76040  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
ffff9a06`cec76050  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
ffff9a06`cec76060  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
ffff9a06`cec76070  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0: kd> db ffff9a06cec76000 - 8
ffff9a06`cec75ff8  00 00 00 00 00 00 00 00-41 41 41 41 41 41 41 41  ........AAAAAAAA
ffff9a06`cec76008  41 41 00 00 5a 02 00 00-41 41 41 41 41 41 41 41  AA..Z...AAAAAAAA
ffff9a06`cec76018  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
ffff9a06`cec76028  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
ffff9a06`cec76038  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
ffff9a06`cec76048  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
ffff9a06`cec76058  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
ffff9a06`cec76068  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0: kd> dt nt!_POOL_HEADER ffff9a06cec76000
   +0x000 PreviousSize     : 0y01000001 (0x41)
   +0x000 PoolIndex        : 0y01000001 (0x41)
   +0x002 BlockSize        : 0y01000001 (0x41)
   +0x002 PoolType         : 0y01000001 (0x41)
   +0x000 Ulong1           : 0x41414141
   +0x004 PoolTag          : 0x41414141
   +0x008 ProcessBilled    : 0x0000025a`00004141 _EPROCESS
   +0x008 AllocatorBackTraceIndex : 0x4141
   +0x00a PoolTagHash      : 0

PoC:

PoC.pcap.zip

Note: I have also had success triggering the bug with the below PoC (test.pcap). Enabling special pool may be required to trigger the crash.

test.pcap.zip

Additional PoC:

test2.pcap.zip

Additional Information (verifier.exe /standard /driver npcap.sys):

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)
Special pool has detected memory corruption.  Typically the current thread's
stack backtrace will reveal the guilty party.
Arguments:
Arg1: fffff50148adeda0, Address trying to free.
Arg2: 000000000000026a, Size of the memory block, as recorded in the pool block header.
Arg3: 0000000000000260, Size of the memory block, as computed based on the address being freed.
Arg4: 0000000000000021, Caller is trying to free an incorrect Special Pool memory block.
	- The value of parameter 2 is stored at the very beginning of the memory
	page that contains the virtual address being freed (parameter 1).
	- The value of parameter 3 is computed as the number of bytes
	available between the virtual address being freed (parameter 1)
	and the end of that memory page.
	- Under normal system behavior, the computed number of bytes (parameter 3)
	is equal to the number of bytes stored in the header (parameter 2)
	rounded up to an alignment of 8 bytes on 32 bit systems and 16 bytes
	on 64 bit systems.
	- On this system, the value of parameter 3 was smaller than the value of
	parameter 2, so either the caller specified an incorrect virtual
	address to be freed, or the beginning of this Special Pool memory page
	was corrupted.

Debugging Details:
------------------

*** ERROR: Module load completed but symbols could not be loaded for VerifierExt.sys
*** ERROR: Module load completed but symbols could not be loaded for npcap.sys
*** ERROR: Module load completed but symbols could not be loaded for e1i63x64.sys
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for mpengine.dll - 

DUMP_CLASS: 1

DUMP_QUALIFIER: 0

BUILD_VERSION_STRING:  17134.1.amd64fre.rs4_release.180410-1804

DUMP_TYPE:  0

BUGCHECK_P1: fffff50148adeda0

BUGCHECK_P2: 26a

BUGCHECK_P3: 260

BUGCHECK_P4: 21

BUGCHECK_STR:  0xC1_21

SPECIAL_POOL_CORRUPTION_TYPE:  21

CPU_COUNT: 2

CPU_MHZ: c17

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 9e

CPU_STEPPING: 9

CPU_MICROCODE: 6,9e,9,0 (F,M,S,R)  SIG: 9A'00000000 (cache) 9A'00000000 (init)

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

PROCESS_NAME:  MsMpEng.exe

CURRENT_IRQL:  2

ANALYSIS_SESSION_HOST:  DESKTOP-GKGKQ49

ANALYSIS_SESSION_TIME:  04-23-2019 11:28:42.0591

ANALYSIS_VERSION: 10.0.15063.468 amd64fre

DPC_STACK_BASE:  FFFFF80402C6CFB0

LAST_CONTROL_TRANSFER:  from fffff80400cd53b2 to fffff80400c43cd0

STACK_TEXT:  
fffff804`02c6bcc8 fffff804`00cd53b2 : fffff501`48adeda0 ffffbd04`b29be040 fffff804`02c6be30 fffff804`00bde640 : nt!DbgBreakPointWithStatus
fffff804`02c6bcd0 fffff804`00cd4bc2 : 00000000`00000003 fffff804`02c6be30 fffff804`00c4f370 00000000`000000c1 : nt!KiBugCheckDebugBreak+0x12
fffff804`02c6bd30 fffff804`00c3c1a7 : 00000000`00000004 fffff804`00b52074 00000000`00000da0 fffff804`00b520bb : nt!KeBugCheck2+0x962
fffff804`02c6c450 fffff804`00cee840 : 00000000`000000c1 fffff501`48adeda0 00000000`0000026a 00000000`00000260 : nt!KeBugCheckEx+0x107
fffff804`02c6c490 fffff804`00d7e00d : 00000000`00000da0 00000000`00019699 00000000`00000000 00000000`20206f49 : nt!MmFreeSpecialPool+0x4ec
fffff804`02c6c5f0 fffff80c`521f7450 : fffff501`48adeda0 ffffbd04`b2393d90 00000000`00000000 fffff804`00b52240 : nt!ExFreePoolWithTag+0xfad
fffff804`02c6c6d0 fffff804`012a6687 : fffff501`48adeda0 ffffbd04`b37d6000 fffff804`02c6c778 fffff804`00b522d2 : VerifierExt+0x7450
fffff804`02c6c700 fffff80c`542a74c2 : ffffbd04`b1a72b50 fffff804`012be613 fffff501`47ee8e02 fffff804`00b523c2 : nt!VerifierExFreePoolWithTag+0x57
fffff804`02c6c730 fffff80c`542a7567 : ffffbd04`b1093000 ffffbd04`b0ded8a0 ffffbd04`b0ded8a0 ffffbd04`b0ded800 : npcap+0x74c2
fffff804`02c6c770 fffff80c`521ff7f7 : ffffbd04`b1093000 ffffbd04`b1a729d0 ffffbd04`b0ded8a0 00000000`00000001 : npcap+0x7567
fffff804`02c6c7b0 fffff80c`52d58387 : ffffbd04`b1093000 00000000`00000000 ffffbd04`b1091c60 ffffbd04`b1035f18 : VerifierExt+0xf7f7
fffff804`02c6c800 fffff80c`548c4090 : ffffbd04`b0e231a0 fffff804`02c6c959 ffffbd04`b0e70000 fffff804`02c6cb02 : ndis!NdisMSendNetBufferListsComplete+0x26a07
fffff804`02c6c8f0 fffff80c`548ce352 : ffffbd04`b0894b10 ffffbd04`b0e70000 ffffbd04`b0e70001 ffffbd04`b0e70000 : e1i63x64+0x14090
fffff804`02c6c9c0 fffff80c`548ce623 : ffffbd04`b09166a0 00000001`00000000 00000001`00000000 00000000`00000001 : e1i63x64+0x1e352
fffff804`02c6ca30 fffff80c`548cddb8 : ffffbd04`b152a000 fffff80c`00000000 00000000`00000000 00000000`00000000 : e1i63x64+0x1e623
fffff804`02c6cac0 fffff80c`52d33f05 : 00000000`00000000 00000000`00000000 fffff803`ffc83180 fffff804`00b2e7cb : e1i63x64+0x1ddb8
fffff804`02c6cb00 fffff804`00ad1367 : 00000000`00000000 fffff804`00000000 ffffbd04`af1281b0 fffff804`00b15c3a : ndis!ndisInterruptDpc+0x185
fffff804`02c6cc60 fffff804`00ad09bb : 00000000`0000000c 00000000`00000000 ffffbd04`b368e080 00000000`0000001a : nt!KiExecuteAllDpcs+0x2e7
fffff804`02c6cda0 fffff804`00c42ff5 : 00000000`00000000 fffff803`ffc83180 ffff8704`f735ee90 ffffd201`7a31a8c0 : nt!KiRetireDpcList+0x1db
fffff804`02c6cfb0 fffff804`00c42df0 : 00000000`00000001 fffff804`00a094e6 00000000`00000002 00000000`00000000 : nt!KxRetireDpcList+0x5
ffff8704`f735edd0 fffff804`00c42725 : fffff803`ffc83180 fffff804`00c3da21 00000000`000013a6 ffffd201`7a31a8c0 : nt!KiDispatchInterruptContinue
ffff8704`f735ee00 fffff804`00c3da21 : 00000000`000013a6 ffffd201`7a31a8c0 00000000`00000000 00000000`00000000 : nt!KiDpcInterruptBypass+0x25
ffff8704`f735ee10 fffff804`00b38e21 : 00000000`00000000 ffff8704`f735f160 00000000`00000000 00000000`00000000 : nt!KiInterruptDispatch+0xb1
ffff8704`f735efa0 fffff804`00cee64b : ffffb680`020521b0 00000000`00000001 ffff8704`f735f130 ffffb680`02181600 : nt!MiFlushTbList+0x261
ffff8704`f735f0f0 fffff804`00d7e00d : 00000000`00000ea0 ffffffff`ffd0bb70 00000000`00000000 00000000`2b707249 : nt!MmFreeSpecialPool+0x2f7
ffff8704`f735f260 fffff804`012b0a25 : fffff501`48a9aea0 fffff501`48a9aea0 00000000`00000001 ffffbd04`b2f8c920 : nt!ExFreePoolWithTag+0xfad
ffff8704`f735f340 fffff804`012a5038 : 00000000`00000000 fffff501`48a9aea0 ffffbd04`b360f002 ffff8704`f735f6c0 : nt!VfIoFreeIrp+0x189
ffff8704`f735f380 fffff804`00acfe9d : ffffbd04`b368c6a0 ffffbd04`b36dab10 ffffbd04`b0a3e160 00000000`00000000 : nt!IovFreeIrpPrivate+0x6c
ffff8704`f735f3c0 fffff804`00f57cc9 : ffff8704`f735f6c0 00000000`00000000 00000000`0000002d ffff8904`8a650001 : nt!IoFreeIrp+0x1d
ffff8704`f735f3f0 fffff804`00f8782b : fffff804`00f57430 fffff804`00f57430 ffff8704`00000000 ffffbd04`b0a3e130 : nt!IopParseDevice+0x899
ffff8704`f735f5c0 fffff804`00f55cdf : ffffbd04`b12ec501 ffff8704`f735f838 00000000`00000040 ffffbd04`af129080 : nt!ObpLookupObjectName+0x73b
ffff8704`f735f7a0 fffff804`00f52045 : ffffbd04`00000001 00000000`00000000 00000000`00000000 00000000`00000028 : nt!ObOpenObjectByNameEx+0x1df
ffff8704`f735f8e0 fffff804`00f517a9 : 000000fa`8a87ee30 00000000`00000000 000000fa`8a87ee88 000000fa`8a87ee48 : nt!IopCreateFile+0x3f5
ffff8704`f735f980 fffff804`00c4c743 : ffffbd04`b29be040 000000fa`8a87efd0 0000024a`187867a0 00000000`00000210 : nt!NtCreateFile+0x79
ffff8704`f735fa10 00007ffd`3e23b444 : 00007ffd`3b394be8 00000000`00000000 00000000`00000080 0000024a`1f91ffb0 : nt!KiSystemServiceCopyEnd+0x13
000000fa`8a87edb8 00007ffd`3b394be8 : 00000000`00000000 00000000`00000080 0000024a`1f91ffb0 00000000`00000000 : ntdll!NtCreateFile+0x14
000000fa`8a87edc0 00007ffd`3b3948d6 : 00000000`00000001 00000000`00000003 00000000`00000000 00000000`00000000 : KERNELBASE!CreateFileInternal+0x2f8
000000fa`8a87ef30 00007ffd`3b394268 : 00000000`00000009 00007ffd`3b3954df 00000000`00000210 00000000`00000210 : KERNELBASE!CreateFileW+0x66
000000fa`8a87ef90 00007ffd`3b3951cc : ffffffff`ffffffff 000000fa`8a87f058 000000fa`8a87f290 0000024a`18788340 : KERNELBASE!BasepGetVolumeGUIDFromNTName+0x4c
000000fa`8a87f000 00007ffd`26ddb510 : 0000024a`187867a0 000000fa`8a87f290 000000fa`8a87f290 000000fa`8a87f260 : KERNELBASE!GetFinalPathNameByHandleW+0x11c
000000fa`8a87f090 0000024a`187867a0 : 000000fa`8a87f290 000000fa`8a87f290 000000fa`8a87f260 00007ffd`2777c6d8 : mpengine!FreeSigFiles+0x1cf780
000000fa`8a87f098 000000fa`8a87f290 : 000000fa`8a87f290 000000fa`8a87f260 00007ffd`2777c6d8 00000000`00000001 : 0x0000024a`187867a0
000000fa`8a87f0a0 000000fa`8a87f290 : 000000fa`8a87f260 00007ffd`2777c6d8 00000000`00000001 00007ffd`2777c6d8 : 0x000000fa`8a87f290
000000fa`8a87f0a8 000000fa`8a87f260 : 00007ffd`2777c6d8 00000000`00000001 00007ffd`2777c6d8 00007ffd`26ab14c2 : 0x000000fa`8a87f290
000000fa`8a87f0b0 00007ffd`2777c6d8 : 00000000`00000001 00007ffd`2777c6d8 00007ffd`26ab14c2 00000000`00000b98 : 0x000000fa`8a87f260
000000fa`8a87f0b8 00000000`00000001 : 00007ffd`2777c6d8 00007ffd`26ab14c2 00000000`00000b98 000000fa`8a87f1d0 : mpengine!MpBootStrap+0x81a2f8
000000fa`8a87f0c0 00007ffd`2777c6d8 : 00007ffd`26ab14c2 00000000`00000b98 000000fa`8a87f1d0 00000000`00000001 : 0x1
000000fa`8a87f0c8 00007ffd`26ab14c2 : 00000000`00000b98 000000fa`8a87f1d0 00000000`00000001 0000024a`18174c01 : mpengine!MpBootStrap+0x81a2f8
000000fa`8a87f0d0 00000000`00000b98 : 000000fa`8a87f1d0 00000000`00000001 0000024a`18174c01 00000000`00000003 : mpengine+0x114c2
000000fa`8a87f0d8 000000fa`8a87f1d0 : 00000000`00000001 0000024a`18174c01 00000000`00000003 00000000`02000000 : 0xb98
000000fa`8a87f0e0 00000000`00000001 : 0000024a`18174c01 00000000`00000003 00000000`02000000 0000024a`1f8fb820 : 0x000000fa`8a87f1d0
000000fa`8a87f0e8 0000024a`18174c01 : 00000000`00000003 00000000`02000000 0000024a`1f8fb820 00000000`00000000 : 0x1
000000fa`8a87f0f0 00000000`00000003 : 00000000`02000000 0000024a`1f8fb820 00000000`00000000 000000fa`8a87f8d0 : 0x0000024a`18174c01
000000fa`8a87f0f8 00000000`02000000 : 0000024a`1f8fb820 00000000`00000000 000000fa`8a87f8d0 000000fa`8a87f8c0 : 0x3
000000fa`8a87f100 0000024a`1f8fb820 : 00000000`00000000 000000fa`8a87f8d0 000000fa`8a87f8c0 00000000`00000000 : 0x2000000
000000fa`8a87f108 00000000`00000000 : 000000fa`8a87f8d0 000000fa`8a87f8c0 00000000`00000000 00000000`00000000 : 0x0000024a`1f8fb820


STACK_COMMAND:  kb

THREAD_SHA1_HASH_MOD_FUNC:  7d83a814ea79fde963ffc4b6dbf657543bbacc56

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  fd97289c18aaac641704cb80c978b5c167c58988

THREAD_SHA1_HASH_MOD:  c717eb3c596df28abda3cbd85a956c1e97bf4b11

FOLLOWUP_IP: 
npcap+74c2
fffff80c`542a74c2 488bce          mov     rcx,rsi

FAULT_INSTR_CODE:  e8ce8b48

SYMBOL_STACK_INDEX:  8

SYMBOL_NAME:  npcap+74c2

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: npcap

IMAGE_NAME:  npcap.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  5c96fdc2

BUCKET_ID_FUNC_OFFSET:  74c2

FAILURE_BUCKET_ID:  0xC1_21_VRF_npcap!unknown_function

BUCKET_ID:  0xC1_21_VRF_npcap!unknown_function

PRIMARY_PROBLEM_CLASS:  0xC1_21_VRF_npcap!unknown_function

TARGET_TIME:  2019-04-23T18:27:47.000Z

OSBUILD:  17134

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  2018-12-31 22:44:13

BUILDDATESTAMP_STR:  180410-1804

BUILDLAB_STR:  rs4_release

BUILDOSVER_STR:  10.0.17134.1.amd64fre.rs4_release.180410-1804

ANALYSIS_SESSION_ELAPSED_TIME:  8a8c

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0xc1_21_vrf_npcap!unknown_function

FAILURE_ID_HASH:  {1d11666d-50d6-88aa-9715-0f738947aa1c}

Followup:     MachineOwner
---------

@dmiller-nmap
Copy link
Contributor

Thanks for this bug report. This was due to a partial fix for nmap/nmap#1398, and was already reported there and fixed in 75e5b6b8. We are preparing another Npcap release to address this and a couple other issues.

@fyodor
Copy link
Member

fyodor commented Apr 23, 2019

Even though this particular bug in version Npcap 0.992 has been already fixed in Github and a new release with the fix is imminent, I wanted to say thanks for this excellent bug report! If all of our reports were so detailed, it would make fixing them a lot easier. Cheers!

@dmiller-nmap
Copy link
Contributor

CVE-2019-11490 has been issued for this bug, and we have opened a dispute over the scoring with NVD. The CVSSv2 score of 9.3 is based on incorrectly scoring it as a network-accessible vulnerability requiring no authentication, when in reality it requires a local authenticated user.

We welcome any input that anyone can provide regarding the exploitability of this issue. The bug is a double-free (CWE-415) of the user-allocated buffer provided via the BIOCSENDPACKETSNOSYNC IoCtl.

@dmiller-nmap
Copy link
Contributor

This issue was fixed in Npcap 0.993.

@fyodor fyodor transferred this issue from nmap/nmap May 1, 2021
@fyodor fyodor added bug security Possibly security-relevant labels May 1, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug security Possibly security-relevant
Projects
None yet
Development

No branches or pull requests

3 participants