iDefense Security Advisory 07.09.07 - Local exploitation of an input validation vulnerability within the NPF.SYS device driver of WinPcap allows attackers to execute arbitrary code in kernel context. The vulnerability specifically exists due to insufficient input validation when handling the Interrupt Request Packet (Irp) parameters passed to IOCTL 9031 (BIOCGSTATS). By passing carefully chosen parameters to this IOCTL, an attacker can overwrite arbitrary kernel memory. iDefense has confirmed the existence of this vulnerability in version 4.0 of WinPcap as included in Wireshark 0.99.5. The version of NPF.SYS tested was 4.0.0.755. Older versions are suspected to be vulnerable.
46e2bfe73ac2f8cddb383c6eb203c2af59b776d93221bddaf74a00d1d638a46c