ID

VAR-200612-0565

CVE

CVE-2006-6385

TITLE

Intel network drivers privilege escalation vulnerability

DESCRIPTION

Stack-based buffer overflow in Intel PRO 10/100, PRO/1000, and PRO/10GbE PCI, PCI-X, and PCIe network adapter drivers (aka NDIS miniport drivers) before 20061205 allows local users to execute arbitrary code with "kernel-level" privileges via an incorrect function call in certain OID handlers. Intel PRO Ethernet The driver contains a buffer overflow vulnerability. This can lead to arbitrary code execution on the local machine.A local user may execute arbitrary code with system privileges on the local machine. An attacker can trigger this issue to corrupt memory and to execute code with kernel-level privileges. A successful attack can result in a complete compromise of the affected computer due to privilege escalation. All PCI, PCI-X, and PCIe Intel network adapter drivers are vulnerable. Intel Pro 100/1000 is a series of network card devices launched by Intel. Although the NDIS miniport driver occupies a low level, unprivileged userland code can still communicate with the driver through NIC statistics requests that need to be implemented by NDIS. If an attacker can send an IOCTL_NDIS_QUERY_SELECTED_STATS (0x17000E) request to \Device\{adapterguid}, it will cause NDIS.SYS to call the QueryInformationHandler routine registered by the miniport driver when calling NdisMRegisterMiniport. The input buffer provided by this IOCTL is a list of 32-bit OIDs related to statistics, each of which is passed independently to the QueryInformationHandler, which contains the code required to retrieve the statistics and return them to the output buffer. Under Windows 2000, pointers to user-supplied buffers are passed directly to the miniport driver, which means the data is user-controllable. Under Windows XP and later versions, the pointer is transferred to a temporary buffer containing undefined data in the kernel memory, so the pool memory must be controlled before the attack to control the above data. A processor with OID 0xFF0203FC copies the output buffer's string to a stack variable using the following strcpy operation: strcpy(&(var_1D4.sz_62), (char*)InformationBuffer + 4) Thus, an attacker can String causes the processor to completely overwrite the return address of the function, redirecting execution flow to an arbitrary user-mode or kernel-mode address. The attack string must be at offset +0x0C in the output buffer, as NDIS itself uses the first 8 bytes. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: Intel LAN Driver Unspecified Privilege Escalation Vulnerability SECUNIA ADVISORY ID: SA23221 VERIFY ADVISORY: http://secunia.com/advisories/23221/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system SOFTWARE: Intel PRO 10/100 Adapters (Linux) 3.x http://secunia.com/product/12824/ Intel PRO 10/100 Adapters (UnixWare/SCO6) 4.x http://secunia.com/product/12827/ Intel PRO 10/100 Adapters (Windows) 8.x http://secunia.com/product/12821/ Intel PRO/1000 Adapters (Linux) 7.x http://secunia.com/product/12825/ Intel PRO/1000 Adapters (UnixWare/SCO6) 9.x http://secunia.com/product/12828/ Intel PRO/1000 Adapters (Windows) 8.x http://secunia.com/product/12822/ Intel PRO/1000 PCIe Adapters (Windows) 9.x http://secunia.com/product/12823/ Intel PRO/10GbE Adapters (Linux) 1.x http://secunia.com/product/12826/ DESCRIPTION: A vulnerability has been reported in Intel LAN drivers, which can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to an unspecified error and can be exploited to cause a buffer overflow by using certain function calls incorrectly. SOLUTION: Apply patches (see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: The vendor credits eEye Digital Security. ORIGINAL ADVISORY: Intel: http://www.intel.com/support/network/sb/CS-023726.htm ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

local

TYPE

buffer overflow

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Derek Soeder dsoeder@eeye.com

SOURCES

LAST UPDATE DATE

2024-08-14T14:08:19.231000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE