NDI5aster – Privilege Escalation Through NDIS 5.x Filter Intermediate Drivers

The Network Driver Interface Specification (NDIS) provides a programming interface specification that facilitates from the network driver architecture perspective the communication between a protocol driver and the underlying network adapter. In Windows OS the so called “NDIS wrapper” (implemented in the Ndis.sys) provides a programming layer of communication between network protocols (TCP/IP) and all the underlying NDIS device drivers so that the implementation of high-level protocol components are independent of the network adapter itself. During vulnerability research from a local security perspective that was performed over several software firewall products designed for Windows XP and Windows Server 2003 (R2 included), an issue during the loading and initialization of one of the OS NDIS protocol drivers was identified; specifically the ‘Remote Access and Routing Driver’ called wanarp.sys. This issue can be exploited through various NDIS 5.x filter intermediate drivers that provide the firewall functionality of several security related products. The resulting impact is vertical privilege escalation which allows a local attacker to execute code with kernel privileges from any account type, thus completely compromising the affected host.

Leave a Reply