NDI5aster Privilege Escalation through NDIS 5.x Filter Intermediate Drivers

Posted on Posted in Paper, Tutorial's


Security software should provide security. This is what makes research over those bits and bytes slightly more interesting than researching on other software types. The impact is not necessarily greater, since other more mainstream applications might be more widely used and commonly installed, but the word ’security’ is what makes them really attractive to us. On the other hand, we have Windows XP, which was recently abandoned by Microsoft in terms of security patching which means all the ’goodies’ that we can find there, will also probably stay there forever. Unless Microsoft decides to jump back and apply new patches, we can safely say that “what happens in XP stays in XP”. However, Windows Server 2003, which is also affected by the examined issue, was still officially supported by Microsoft at the time of writing this paper. Although, XP operating system is not supported anymore by the vendor it is still quite widely used internally in many companies, and especially Windows Server 2003 R2. These hosts might run important infrastructure software that might not be supported anymore by its vendor. At the same time the migration to a newer platform and finding the right software to rebuilt those systems with the same capabilities might be extremely time and money consuming. In a fair attempt to harden their security, system administrators will install some security software on them. This quite often implies installing some AV security suite that provides malware detection and elimination, as well as some extra firewall capabilities. Based on the aforementioned facts, this research aims to bring some awareness about a well hidden for years issue that even though is not really a bug by definition, it can be exploited through NDIS 5.x network intermediate drivers used by software firewalls to filter network packets [4]. Upon exploitation, it allows a local attacker to elevate his privileges and obtain complete access on the compromised host. This can later lead to a total compromise of the network infrastructure through common post-exploitation techniques, such as obtaining important cached credentials through hash dumping or live credentials residing in memory.

Quelle: Packetstormsecurity