Vista SP1 TCP/IP Buffer Overflow Vulnerability Overwrites Kernel Memory
At the end of October 2008 Microsoft was informed of a new vulnerability affecting the core of Windows Vista, but a fix was not delivered along with the November security bulletins. Thomas Unterleitner, from phion AG, informed that the Microsoft VISTA TCP/IP stack buffer overflow security flaw affected both 32-bit and 64-bit versions of the operating system. The vulnerability was confirmed on the Enterprise and Ultimate SKUs of the OS by Unterleitner, who indicated that it was likely for all Vista editions to be affected. According to Unterleitner, Windows XP was not corrupted.
“Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory,” Unterleitner revealed. The result of exploits targeting the vulnerability could range from less severe denial-of-service attacks to code injections.
“The crash does not always occur instantly after executing the provided sample program; it may take a while until the corrupted memory is accessed, causing the operating system to crash with a blue screen,” Unterleitner explained.
Because of the flaw in Vista’s network input/output subsystem malicious requests addressing iphlpapi.dll API would generate a blue-screen-of-death, causing the impacted machine to crash. However, since the vulnerability is at kernel level, the true danger lies in the exposure of Vista’s code to rootkit infections. Still, the severity of the vulnerability is limited because of the security mitigations built into Windows Vista.
“Installation of Service Pack 1 and/or security updates had no effect in regards to resolve the random crashes. To execute either the sample program or the route-add command, the user has to be member of the Network Configuration Operators group or the Administrators group. Since this buffer overflow overwrites kernel memory, it could be possible that members of the Network Configuration Operator group exploit this and take control over the operating system without any restriction,” Unterleitner stated.