Npcap 0.992 Pool Corruption #308
Sending a malformed .pcap with npcap loopback adapter causes kernel pool corruption.
When sending a malformed .pcap file with the npcap loopback adapter using either
Version: npcap 0.992
Tested on: Windows 10 x64
Note: I have also had success triggering the bug with the below PoC (test.pcap). Enabling special pool may be required to trigger the crash.
Additional Information (verifier.exe /standard /driver npcap.sys):
The text was updated successfully, but these errors were encountered:
Even though this particular bug in version Npcap 0.992 has been already fixed in Github and a new release with the fix is imminent, I wanted to say thanks for this excellent bug report! If all of our reports were so detailed, it would make fixing them a lot easier. Cheers!
CVE-2019-11490 has been issued for this bug, and we have opened a dispute over the scoring with NVD. The CVSSv2 score of 9.3 is based on incorrectly scoring it as a network-accessible vulnerability requiring no authentication, when in reality it requires a local authenticated user.
We welcome any input that anyone can provide regarding the exploitability of this issue. The bug is a double-free (CWE-415) of the user-allocated buffer provided via the BIOCSENDPACKETSNOSYNC IoCtl.