You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Sending a malformed .pcap with npcap loopback adapter causes kernel pool corruption.
Analysis:
When sending a malformed .pcap file with the npcap loopback adapter using either pcap_sendqueue_queue() or pcap_sendqueue_transmit() results in kernel pool corruption. This vulnerability could lead to arbitrary code executing inside the Windows kernel and allow elevation of privileges.
Thanks for this bug report. This was due to a partial fix for nmap/nmap#1398, and was already reported there and fixed in 75e5b6b8. We are preparing another Npcap release to address this and a couple other issues.
Even though this particular bug in version Npcap 0.992 has been already fixed in Github and a new release with the fix is imminent, I wanted to say thanks for this excellent bug report! If all of our reports were so detailed, it would make fixing them a lot easier. Cheers!
CVE-2019-11490 has been issued for this bug, and we have opened a dispute over the scoring with NVD. The CVSSv2 score of 9.3 is based on incorrectly scoring it as a network-accessible vulnerability requiring no authentication, when in reality it requires a local authenticated user.
We welcome any input that anyone can provide regarding the exploitability of this issue. The bug is a double-free (CWE-415) of the user-allocated buffer provided via the BIOCSENDPACKETSNOSYNC IoCtl.
Description:
Sending a malformed .pcap with npcap loopback adapter causes kernel pool corruption.
Analysis:
When sending a malformed .pcap file with the npcap loopback adapter using either
pcap_sendqueue_queue()
orpcap_sendqueue_transmit()
results in kernel pool corruption. This vulnerability could lead to arbitrary code executing inside the Windows kernel and allow elevation of privileges.Version: npcap 0.992
Tested on: Windows 10 x64
PoC:
PoC.pcap.zip
Note: I have also had success triggering the bug with the below PoC (test.pcap). Enabling special pool may be required to trigger the crash.
test.pcap.zip
Additional PoC:
test2.pcap.zip
Additional Information (verifier.exe /standard /driver npcap.sys):
The text was updated successfully, but these errors were encountered: