search menu icon-carat-right cmu-wordmark

CERT Coordination Center


PCAUSA Rawether for Windows local privilege escalation

Vulnerability Note VU#600671

Original Release Date: 2017-03-21 | Last Revised: 2017-04-21

Overview

PCAUSA's Rawether framework does not properly validate BPF data, allowing a crafted malicious BPF program to perform operations on memory outside of its typical bounds on the driver's receipt of network packets. This vulnerability may be exploited to perform local privilege escalation on Windows systems.

Description

The Rawether framework for Windows, originally produced by Printing Communications Assoc., Inc. (PCAUSA), is a framework that facilitates communication between an application and the Network Driver Interface System (NDIS) protocol. This framework is used by many different hardware vendors in their WiFi and router control applications. Rawether implements the Berkeley Packet Filter (BPF) mechanism. BPF filters are compiled into small programs that are executed by a BPF virtual machine.

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer - CVE-2017-3196

The Rawether framework does not properly validate BPF programs before execution, allowing BPF programs that may read/write arbitrary memory or infinitely loop. The return address on the stack may be overwritten, allowing a local user to execute arbitrary code with SYSTEM privileges.

To enable the vulnerable part of the driver, an exploit has to issue a OID_GEN_CURRENT_PACKET_FILTER NDIS request with NDIS_PACKET_TYPE_ALL_LOCAL flags and set the BPF program. The exploit is triggered by reading the first received network packet.

The researcher has provided a proof of concept affecting the 64-bit version of PcaSp60.sys driver which is part of ASUS PCE-AC56 WLAN Card Utilities. However, other utilities and programs making use of this driver may also be affected. Identifying vulnerable software may be difficult due to variations in driver name, version, or device name or information, but the vulnerable driver is most likely included in OEM WiFi utility programs. Some common default naming convention for the affected drivers include:

    • PcaSp60.sys
    • PcaSp50.sys
    • PcaMp60.sys
    • PcaMp50.sys
For more information, see the researcher's blog post.

Impact

A local authenticated attacker may be able to execute a malicious BPF program that can execute arbitrary code with SYSTEM privileges.

Solution

Apply an update or uninstall affected software

Apply an update to any software that makes use of the Rawether driver. Alternately, uninstall any affected software.

A list of possibly affected vendors is given below and will be updated as we learn more.

Vendor Information

600671
Expand all

ASUSTeK Computer Inc.

Notified:  March 17, 2017 Updated:  March 21, 2017

Statement Date:   March 21, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

ASUS expects updated utilities to be released by the end of March.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Printing Communications Association, Inc.

Updated:  March 17, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Dell

Notified:  March 17, 2017 Updated:  April 21, 2017

Statement Date:   April 20, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Acer

Notified:  March 17, 2017 Updated:  March 17, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett Packard Enterprise

Notified:  March 17, 2017 Updated:  March 17, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lenovo

Notified:  March 17, 2017 Updated:  March 17, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Toshiba America Information Systems, Inc.

Notified:  March 17, 2017 Updated:  March 17, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VAIO Corporation

Notified:  March 17, 2017 Updated:  March 17, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 6.6 AV:L/AC:M/Au:S/C:C/I:C/A:C
Temporal 5.6 E:POC/RL:U/RC:UR
Environmental 4.2 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

This issue was reported publicly by "ReWolf" (@rwfpl).

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2017-3196
Date Public: 2017-03-15
Date First Published: 2017-03-21
Date Last Updated: 2017-04-21 04:50 UTC
Document Revision: 34

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.