Vulnerability Note VU#600671
PCAUSA Rawether for Windows local privilege escalation
Overview
PCAUSA's Rawether framework does not properly validate BPF data, allowing a crafted malicious BPF program to perform operations on memory outside of its typical bounds on the driver's receipt of network packets. This vulnerability may be exploited to perform local privilege escalation on Windows systems.
Description
The Rawether framework for Windows, originally produced by Printing Communications Assoc., Inc. (PCAUSA), is a framework that facilitates communication between an application and the Network Driver Interface System (NDIS) protocol. This framework is used by many different hardware vendors in their WiFi and router control applications. Rawether implements the Berkeley Packet Filter (BPF) mechanism. BPF filters are compiled into small programs that are executed by a BPF virtual machine. CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer - CVE-2017-3196 For more information, see the researcher's blog post. |
Impact
A local authenticated attacker may be able to execute a malicious BPF program that can execute arbitrary code with SYSTEM privileges. |
Solution
Apply an update or uninstall affected software |
Vendor Information (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
ASUSTeK Computer Inc. | Affected | 17 Mar 2017 | 21 Mar 2017 |
Printing Communications Association, Inc. | Affected | - | 17 Mar 2017 |
Dell | Not Affected | 17 Mar 2017 | 21 Apr 2017 |
Acer | Unknown | 17 Mar 2017 | 17 Mar 2017 |
Hewlett Packard Enterprise | Unknown | 17 Mar 2017 | 17 Mar 2017 |
Lenovo | Unknown | 17 Mar 2017 | 17 Mar 2017 |
Toshiba America Information Systems, Inc. | Unknown | 17 Mar 2017 | 17 Mar 2017 |
VAIO Corporation | Unknown | 17 Mar 2017 | 17 Mar 2017 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | 6.6 | AV:L/AC:M/Au:S/C:C/I:C/A:C |
Temporal | 5.6 | E:POC/RL:U/RC:UR |
Environmental | 4.2 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
- http://blog.rewolf.pl/blog/?p=1778
- http://cwe.mitre.org/data/definitions/119.html
- https://www.kernel.org/doc/Documentation/networking/filter.txt
- https://msdn.microsoft.com/en-us/windows/hardware/drivers/network/introduction-to-ndis-protocol-drivers
Credit
This issue was reported publicly by "ReWolf" (@rwfpl).
This document was written by Garret Wassermann.
Other Information
- CVE IDs: CVE-2017-3196
- Date Public: 15 Mar 2017
- Date First Published: 21 Mar 2017
- Date Last Updated: 21 Apr 2017
- Document Revision: 34
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.