Windows ndis.sys IOCTL 0x170034 (ndis!ndisNsiGetIfNameForIfIndex) pool buffer overflow

GoogleCodeExporter commented 8 years ago

Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

---
The attached testcase crashes Windows 7 32-bit due to a pool buffer overflow in 
an ioctl handler. Enabling special on ndis.sys netio.sys and ntoskrnl helps to 
track down the issue, however it will crashes due to a bad pool header without 
special pool as well.

---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 4 Sep 2015 at 10:04

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by haw...@google.com on 4 Sep 2015 at 10:04

Changed title: Windows ndis.sys IOCTL 0x170034 (ndis!ndisNsiGetIfNameForIfIndex) pool buffer overflow

GoogleCodeExporter commented 8 years ago

Original comment by haw...@google.com on 5 Sep 2015 at 12:29

Added labels: MSRC-31101

GoogleCodeExporter commented 8 years ago

Issue 517 has been merged into this issue.

Original comment by haw...@google.com on 17 Sep 2015 at 7:01

GoogleCodeExporter commented 8 years ago

Fixed in MS15-117.

Original comment by haw...@google.com on 20 Nov 2015 at 7:29

Changed state: Fixed
Added labels: CVE-2015-6098
Removed labels: Restrict-View-Commit

bingghost / google-security-research

Windows ndis.sys IOCTL 0x170034 (ndis!ndisNsiGetIfNameForIfIndex) pool buffer overflow #516