var-200612-0565
Vulnerability from variot
Stack-based buffer overflow in Intel PRO 10/100, PRO/1000, and PRO/10GbE PCI, PCI-X, and PCIe network adapter drivers (aka NDIS miniport drivers) before 20061205 allows local users to execute arbitrary code with "kernel-level" privileges via an incorrect function call in certain OID handlers. Intel PRO Ethernet The driver contains a buffer overflow vulnerability. This can lead to arbitrary code execution on the local machine.A local user may execute arbitrary code with system privileges on the local machine. An attacker can trigger this issue to corrupt memory and to execute code with kernel-level privileges. A successful attack can result in a complete compromise of the affected computer due to privilege escalation. All PCI, PCI-X, and PCIe Intel network adapter drivers are vulnerable. Intel Pro 100/1000 is a series of network card devices launched by Intel. Although the NDIS miniport driver occupies a low level, unprivileged userland code can still communicate with the driver through NIC statistics requests that need to be implemented by NDIS. If an attacker can send an IOCTL_NDIS_QUERY_SELECTED_STATS (0x17000E) request to \Device{adapterguid}, it will cause NDIS.SYS to call the QueryInformationHandler routine registered by the miniport driver when calling NdisMRegisterMiniport. The input buffer provided by this IOCTL is a list of 32-bit OIDs related to statistics, each of which is passed independently to the QueryInformationHandler, which contains the code required to retrieve the statistics and return them to the output buffer. Under Windows 2000, pointers to user-supplied buffers are passed directly to the miniport driver, which means the data is user-controllable. Under Windows XP and later versions, the pointer is transferred to a temporary buffer containing undefined data in the kernel memory, so the pool memory must be controlled before the attack to control the above data. A processor with OID 0xFF0203FC copies the output buffer's string to a stack variable using the following strcpy operation: strcpy(&(var_1D4.sz_62), (char*)InformationBuffer + 4) Thus, an attacker can String causes the processor to completely overwrite the return address of the function, redirecting execution flow to an arbitrary user-mode or kernel-mode address. The attack string must be at offset +0x0C in the output buffer, as NDIS itself uses the first 8 bytes.
To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German.
The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios.
This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links
Read the full description: http://corporate.secunia.com/products/48/?r=l
Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l
TITLE: Intel LAN Driver Unspecified Privilege Escalation Vulnerability
SECUNIA ADVISORY ID: SA23221
VERIFY ADVISORY: http://secunia.com/advisories/23221/
CRITICAL: Less critical
IMPACT: Privilege escalation
WHERE: Local system
SOFTWARE: Intel PRO 10/100 Adapters (Linux) 3.x http://secunia.com/product/12824/ Intel PRO 10/100 Adapters (UnixWare/SCO6) 4.x http://secunia.com/product/12827/ Intel PRO 10/100 Adapters (Windows) 8.x http://secunia.com/product/12821/ Intel PRO/1000 Adapters (Linux) 7.x http://secunia.com/product/12825/ Intel PRO/1000 Adapters (UnixWare/SCO6) 9.x http://secunia.com/product/12828/ Intel PRO/1000 Adapters (Windows) 8.x http://secunia.com/product/12822/ Intel PRO/1000 PCIe Adapters (Windows) 9.x http://secunia.com/product/12823/ Intel PRO/10GbE Adapters (Linux) 1.x http://secunia.com/product/12826/
DESCRIPTION: A vulnerability has been reported in Intel LAN drivers, which can be exploited by malicious, local users to gain escalated privileges.
The vulnerability is caused due to an unspecified error and can be exploited to cause a buffer overflow by using certain function calls incorrectly.
SOLUTION: Apply patches (see the vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY: The vendor credits eEye Digital Security.
ORIGINAL ADVISORY: Intel: http://www.intel.com/support/network/sb/CS-023726.htm
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Show details on source website
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200612-0565",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "pro 10 100 adapters",
"scope": "lte",
"trust": 1.0,
"vendor": "intel",
"version": "3.5.14"
},
{
"model": "pro 1000 adapters",
"scope": "lte",
"trust": 1.0,
"vendor": "intel",
"version": "7.2.7"
},
{
"model": "pro 1000 adapters",
"scope": "lte",
"trust": 1.0,
"vendor": "intel",
"version": "8.7.1.0"
},
{
"model": "pro 10 100 adapters",
"scope": "lte",
"trust": 1.0,
"vendor": "intel",
"version": "8.0.27.0"
},
{
"model": "pro 10 100 adapters",
"scope": "lte",
"trust": 1.0,
"vendor": "intel",
"version": "4.0.3"
},
{
"model": "pro 1000 pcie adapters",
"scope": "lte",
"trust": 1.0,
"vendor": "intel",
"version": "9.1.30.0"
},
{
"model": "pro 10gbe adapters",
"scope": "lte",
"trust": 1.0,
"vendor": "intel",
"version": "1.0.109"
},
{
"model": "pro 1000 adapters",
"scope": "lte",
"trust": 1.0,
"vendor": "intel",
"version": "9.0.15"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "intel",
"version": null
},
{
"model": "pcie pro/1000",
"scope": "lte",
"trust": 0.8,
"vendor": "intel",
"version": "9.0.15.0 from 9.1.34.0"
},
{
"model": "pro 10/100",
"scope": "lte",
"trust": 0.8,
"vendor": "intel",
"version": "4.2.38.1 from 8.0.27.0"
},
{
"model": "pro/1000",
"scope": "lte",
"trust": 0.8,
"vendor": "intel",
"version": "6.2.21.0 from 8.7.1.0"
},
{
"model": "vaio",
"scope": "eq",
"trust": 0.8,
"vendor": "sony",
"version": "( see the vendor information for type names. )"
},
{
"model": "flora",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "220w(np3/np4/np7/np9)"
},
{
"model": "flora",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "270gx(nw1/nw2/nw3)"
},
{
"model": "flora",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "270hx(nw5)"
},
{
"model": "flora",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "270w(nw6/nw7)"
},
{
"model": "flora",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "330w(dg5/dg8)"
},
{
"model": "flora",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "350w(de3/de4/de5/de7/de8/de9)"
},
{
"model": "flora",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "bd100 a1/a3/b2/b3"
},
{
"model": "ha8000 series",
"scope": null,
"trust": 0.8,
"vendor": "hitachi",
"version": null
},
{
"model": "prius air",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "k series: pcf-ar37k"
},
{
"model": "prius air",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "pcf-ar35k"
},
{
"model": "prius air",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "pcf-ar340"
},
{
"model": "prius air",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "l series: pcf-ar37l"
},
{
"model": "prius air",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "pcf-ar35l"
},
{
"model": "prius air",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "m series: pcf-ar37m"
},
{
"model": "prius air",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "pcf-ar35m"
},
{
"model": "prius air",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "pcf-ar33m"
},
{
"model": "prius air",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "n series: pcf-ar35n"
},
{
"model": "prius air",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "pcf-ar33n"
},
{
"model": "prius airnote",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "k series: pcf-an37kt"
},
{
"model": "prius airnote",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "l series: pcf-an37lt"
},
{
"model": "prius deck",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "l series: pcf-ds75l"
},
{
"model": "prius deck",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "pcf-ds73l"
},
{
"model": "prius deck",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "m series: pcf-ds75m"
},
{
"model": "prius deck",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "pcf-ds73m"
},
{
"model": "prius deck",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "n series: pcf-dh75n"
},
{
"model": "prius deck",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "pcf-dh73n"
},
{
"model": "prius deck",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "p series: pcf-dh75p2"
},
{
"model": "prius deck",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "pcf-dh73p2"
},
{
"model": "prius deck",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "pcf-dh74p2w"
},
{
"model": "celsius work station",
"scope": "eq",
"trust": 0.8,
"vendor": "fujitsu",
"version": "( see the vendor information for type names. )"
},
{
"model": "fmv desktop",
"scope": "eq",
"trust": 0.8,
"vendor": "fujitsu",
"version": "series ( see the vendor information for type names. )"
},
{
"model": "fmv fa computer",
"scope": "eq",
"trust": 0.8,
"vendor": "fujitsu",
"version": "( see the vendor information for type names. )"
},
{
"model": "fmv-deskpower",
"scope": "eq",
"trust": 0.8,
"vendor": "fujitsu",
"version": "series ( see the vendor information for type names. )"
},
{
"model": "fmv-esprimo",
"scope": "eq",
"trust": 0.8,
"vendor": "fujitsu",
"version": "series ( see the vendor information for type names. )"
},
{
"model": "fmv-lifebook",
"scope": "eq",
"trust": 0.8,
"vendor": "fujitsu",
"version": "series ( see the vendor information for type names. )"
},
{
"model": "option card",
"scope": "eq",
"trust": 0.8,
"vendor": "fujitsu",
"version": "(fmv lan driver - refer to vendor information for details. )"
},
{
"model": "pro/1000",
"scope": "ne",
"trust": 0.6,
"vendor": "intel",
"version": "8.7.9.0"
},
{
"model": "pro 1000 adapters",
"scope": "eq",
"trust": 0.6,
"vendor": "intel",
"version": "7.2.7"
},
{
"model": "pro 10gbe adapters",
"scope": "eq",
"trust": 0.6,
"vendor": "intel",
"version": "1.0.109"
},
{
"model": "pro 1000 pcie adapters",
"scope": "eq",
"trust": 0.6,
"vendor": "intel",
"version": "9.1.30.0"
},
{
"model": "pro 1000 adapters",
"scope": "eq",
"trust": 0.6,
"vendor": "intel",
"version": "9.0.15"
},
{
"model": "pro 1000 adapters",
"scope": "eq",
"trust": 0.6,
"vendor": "intel",
"version": "8.7.1.0"
},
{
"model": "pro 10 100 adapters",
"scope": "eq",
"trust": 0.6,
"vendor": "intel",
"version": "3.5.14"
},
{
"model": "pro 10 100 adapters",
"scope": "eq",
"trust": 0.6,
"vendor": "intel",
"version": "4.0.3"
},
{
"model": "pro 10 100 adapters",
"scope": "eq",
"trust": 0.6,
"vendor": "intel",
"version": "8.0.27.0"
},
{
"model": "pro/10gbe",
"scope": "eq",
"trust": 0.3,
"vendor": "intel",
"version": "1.0.109"
},
{
"model": "pro/1000 pcie",
"scope": "eq",
"trust": 0.3,
"vendor": "intel",
"version": "9.1.30.0"
},
{
"model": "pro/1000",
"scope": "eq",
"trust": 0.3,
"vendor": "intel",
"version": "0"
},
{
"model": "pro/1000",
"scope": "eq",
"trust": 0.3,
"vendor": "intel",
"version": "9.0.15"
},
{
"model": "pro/1000",
"scope": "eq",
"trust": 0.3,
"vendor": "intel",
"version": "7.2.7"
},
{
"model": "pro/1000",
"scope": "eq",
"trust": 0.3,
"vendor": "intel",
"version": "8.7.1.0"
},
{
"model": "pro",
"scope": "eq",
"trust": 0.3,
"vendor": "intel",
"version": "10/1004.0.3"
},
{
"model": "pro",
"scope": "eq",
"trust": 0.3,
"vendor": "intel",
"version": "10/1003.5.14"
},
{
"model": "pro",
"scope": "eq",
"trust": 0.3,
"vendor": "intel",
"version": "10/1008.0.27.0"
},
{
"model": "pro/10gbe",
"scope": "ne",
"trust": 0.3,
"vendor": "intel",
"version": "1.0.119"
},
{
"model": "pro/1000 pcie",
"scope": "ne",
"trust": 0.3,
"vendor": "intel",
"version": "9.6.31"
},
{
"model": "pro/1000",
"scope": "ne",
"trust": 0.3,
"vendor": "intel",
"version": "7.2.17"
},
{
"model": "pro/1000",
"scope": "ne",
"trust": 0.3,
"vendor": "intel",
"version": "9.2.6"
},
{
"model": "pro/1000",
"scope": "ne",
"trust": 0.3,
"vendor": "intel",
"version": "7.3.15"
},
{
"model": "pro",
"scope": "ne",
"trust": 0.3,
"vendor": "intel",
"version": "10/1004.0.4"
},
{
"model": "pro",
"scope": "ne",
"trust": 0.3,
"vendor": "intel",
"version": "10/1003.5.17"
},
{
"model": "pro",
"scope": "ne",
"trust": 0.3,
"vendor": "intel",
"version": "10/1008.0.43.0"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#296681"
},
{
"db": "BID",
"id": "21456"
},
{
"db": "JVNDB",
"id": "JVNDB-2006-000813"
},
{
"db": "CNNVD",
"id": "CNNVD-200612-151"
},
{
"db": "NVD",
"id": "CVE-2006-6385"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/h:intel:pcie_pro_1000",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:intel:pro_10_100",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:intel:pro_1000",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:sony:vaio",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:hitachi:flora",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:hitachi:ha8000",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:hitachi:prius_air",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:hitachi:prius_airnote",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:hitachi:prius_deck",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:fujitsu:celsius_workstation",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:fujitsu:fmv_desktop",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:fujitsu:fmv_fa_personal_computer",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:fujitsu:fmv-deskpower",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:fujitsu:fmv-esprimo",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:fujitsu:fmv-lifebook",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/h:fujitsu:option_card",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2006-000813"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Derek Soeder dsoeder@eeye.com",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200612-151"
}
],
"trust": 0.6
},
"cve": "CVE-2006-6385",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "CVE-2006-6385",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 3.9,
"id": "VHN-22493",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:L/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2006-6385",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#296681",
"trust": 0.8,
"value": "1.06"
},
{
"author": "NVD",
"id": "CVE-2006-6385",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-200612-151",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-22493",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#296681"
},
{
"db": "VULHUB",
"id": "VHN-22493"
},
{
"db": "JVNDB",
"id": "JVNDB-2006-000813"
},
{
"db": "CNNVD",
"id": "CNNVD-200612-151"
},
{
"db": "NVD",
"id": "CVE-2006-6385"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Stack-based buffer overflow in Intel PRO 10/100, PRO/1000, and PRO/10GbE PCI, PCI-X, and PCIe network adapter drivers (aka NDIS miniport drivers) before 20061205 allows local users to execute arbitrary code with \"kernel-level\" privileges via an incorrect function call in certain OID handlers. Intel PRO Ethernet The driver contains a buffer overflow vulnerability. This can lead to arbitrary code execution on the local machine.A local user may execute arbitrary code with system privileges on the local machine. \nAn attacker can trigger this issue to corrupt memory and to execute code with kernel-level privileges. \nA successful attack can result in a complete compromise of the affected computer due to privilege escalation. \nAll PCI, PCI-X, and PCIe Intel network adapter drivers are vulnerable. Intel Pro 100/1000 is a series of network card devices launched by Intel. Although the NDIS miniport driver occupies a low level, unprivileged userland code can still communicate with the driver through NIC statistics requests that need to be implemented by NDIS. If an attacker can send an IOCTL_NDIS_QUERY_SELECTED_STATS (0x17000E) request to \\Device\\{adapterguid}, it will cause NDIS.SYS to call the QueryInformationHandler routine registered by the miniport driver when calling NdisMRegisterMiniport. The input buffer provided by this IOCTL is a list of 32-bit OIDs related to statistics, each of which is passed independently to the QueryInformationHandler, which contains the code required to retrieve the statistics and return them to the output buffer. Under Windows 2000, pointers to user-supplied buffers are passed directly to the miniport driver, which means the data is user-controllable. Under Windows XP and later versions, the pointer is transferred to a temporary buffer containing undefined data in the kernel memory, so the pool memory must be controlled before the attack to control the above data. A processor with OID 0xFF0203FC copies the output buffer\u0027s string to a stack variable using the following strcpy operation: strcpy(\u0026(var_1D4.sz_62), (char*)InformationBuffer + 4) Thus, an attacker can String causes the processor to completely overwrite the return address of the function, redirecting execution flow to an arbitrary user-mode or kernel-mode address. The attack string must be at offset +0x0C in the output buffer, as NDIS itself uses the first 8 bytes. \n\n----------------------------------------------------------------------\n\nTo improve our services to our customers, we have made a number of\nadditions to the Secunia Advisories and have started translating the\nadvisories to German. \n\nThe improvements will help our customers to get a better\nunderstanding of how we reached our conclusions, how it was rated,\nour thoughts on exploitation, attack vectors, and scenarios. \n\nThis includes:\n* Reason for rating\n* Extended description\n* Extended solution\n* Exploit code or links to exploit code\n* Deep links\n\nRead the full description:\nhttp://corporate.secunia.com/products/48/?r=l\n\nContact Secunia Sales for more information:\nhttp://corporate.secunia.com/how_to_buy/15/?r=l\n\n----------------------------------------------------------------------\n\nTITLE:\nIntel LAN Driver Unspecified Privilege Escalation Vulnerability\n\nSECUNIA ADVISORY ID:\nSA23221\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/23221/\n\nCRITICAL:\nLess critical\n\nIMPACT:\nPrivilege escalation\n\nWHERE:\nLocal system\n\nSOFTWARE:\nIntel PRO 10/100 Adapters (Linux) 3.x\nhttp://secunia.com/product/12824/\nIntel PRO 10/100 Adapters (UnixWare/SCO6) 4.x\nhttp://secunia.com/product/12827/\nIntel PRO 10/100 Adapters (Windows) 8.x\nhttp://secunia.com/product/12821/\nIntel PRO/1000 Adapters (Linux) 7.x\nhttp://secunia.com/product/12825/\nIntel PRO/1000 Adapters (UnixWare/SCO6) 9.x\nhttp://secunia.com/product/12828/\nIntel PRO/1000 Adapters (Windows) 8.x\nhttp://secunia.com/product/12822/\nIntel PRO/1000 PCIe Adapters (Windows) 9.x\nhttp://secunia.com/product/12823/\nIntel PRO/10GbE Adapters (Linux) 1.x\nhttp://secunia.com/product/12826/\n\nDESCRIPTION:\nA vulnerability has been reported in Intel LAN drivers, which can be\nexploited by malicious, local users to gain escalated privileges. \n\nThe vulnerability is caused due to an unspecified error and can be\nexploited to cause a buffer overflow by using certain function calls\nincorrectly. \n\nSOLUTION:\nApply patches (see the vendor\u0027s advisory for details). \n\nPROVIDED AND/OR DISCOVERED BY:\nThe vendor credits eEye Digital Security. \n\nORIGINAL ADVISORY:\nIntel:\nhttp://www.intel.com/support/network/sb/CS-023726.htm\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2006-6385"
},
{
"db": "CERT/CC",
"id": "VU#296681"
},
{
"db": "JVNDB",
"id": "JVNDB-2006-000813"
},
{
"db": "BID",
"id": "21456"
},
{
"db": "VULHUB",
"id": "VHN-22493"
},
{
"db": "PACKETSTORM",
"id": "52799"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "SECUNIA",
"id": "23221",
"trust": 3.4
},
{
"db": "CERT/CC",
"id": "VU#296681",
"trust": 3.3
},
{
"db": "BID",
"id": "21456",
"trust": 2.8
},
{
"db": "NVD",
"id": "CVE-2006-6385",
"trust": 2.8
},
{
"db": "SECTRACK",
"id": "1017346",
"trust": 2.5
},
{
"db": "SREASON",
"id": "2007",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2006-4871",
"trust": 1.7
},
{
"db": "XF",
"id": "30750",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2006-000813",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200612-151",
"trust": 0.7
},
{
"db": "MLIST",
"id": "[FREEBSD-SECURITY] 20061206 INTEL LAN DRIVER BUFFER OVERFLOW LOCAL PRIVILEGE ESCALATION",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20061207 EEYE: INTEL NETWORK ADAPTER DRIVER LOCAL PRIVILEGE ESCALATION",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-22493",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "52799",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#296681"
},
{
"db": "VULHUB",
"id": "VHN-22493"
},
{
"db": "BID",
"id": "21456"
},
{
"db": "JVNDB",
"id": "JVNDB-2006-000813"
},
{
"db": "PACKETSTORM",
"id": "52799"
},
{
"db": "CNNVD",
"id": "CNNVD-200612-151"
},
{
"db": "NVD",
"id": "CVE-2006-6385"
}
]
},
"id": "VAR-200612-0565",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-22493"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T22:46:56.734000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Network Connectivity - Intel LAN Driver Buffer Overflow Local Privilege Escalation",
"trust": 0.8,
"url": "http://www.intel.com/support/network/sb/CS-023726.htm"
},
{
"title": "Network Connectivity - How to Determine the Driver Version for an Intel Network Adapter",
"trust": 0.8,
"url": "http://support.intel.com/support/network/sb/CS-023453.htm"
},
{
"title": "INTEL-SA-00006",
"trust": 0.8,
"url": "http://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00006\u0026languageid=en-fr"
},
{
"title": "\u30b5\u30dd\u30fc\u30c8\u30da\u30fc\u30b8",
"trust": 0.8,
"url": "http://vcl.vaio.sony.co.jp/"
},
{
"title": "\u300cEthernet Driver Ver.8.0.43.0\u300d\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u30d7\u30ed\u30b0\u30e9\u30e0",
"trust": 0.8,
"url": "http://vcl.vaio.sony.co.jp/download/SP-015317-00.html"
},
{
"title": "\u300cEthernet Driver Ver.8.7.9.0\u300d\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u30d7\u30ed\u30b0\u30e9\u30e0",
"trust": 0.8,
"url": "http://vcl.vaio.sony.co.jp/download/SP-015318-00.html"
},
{
"title": "\u300cEthernet Driver Ver.9.6.31.0\u300d\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u30d7\u30ed\u30b0\u30e9\u30e0",
"trust": 0.8,
"url": "http://vcl.vaio.sony.co.jp/download/SP-015318-01.html"
},
{
"title": "\u30a4\u30f3\u30c6\u30ebR LAN \u30c9\u30e9\u30a4\u30d0\u30fc : \u30d0\u30c3\u30d5\u30a1\u30fc\u30fb\u30aa\u30fc\u30d0\u30fc\u30d5\u30ed\u30fc\u306b\u3088\u308b\u30ed\u30fc\u30ab\u30eb\u6a29\u9650\u306e\u6607\u683c",
"trust": 0.8,
"url": "http://www.intel.com/jp/support/network/sb/CS-023726.htm"
},
{
"title": "\u3010\u91cd\u8981\u3011Inetl\u793e\u88fdLAN\u30c9\u30e9\u30a4\u30d0\u306e\u8106\u5f31\u6027\u306b\u95a2\u3059\u308b\u304a\u77e5\u3089\u305b",
"trust": 0.8,
"url": "http://www.hitachi.co.jp/Prod/comp/OSD/pc/ha/information/info070104.html"
},
{
"title": "\u3010\u91cd\u8981\u3011 Intel\u793e\u88fdLAN\u30c9\u30e9\u30a4\u30d0\u306e\u8106\u5f31\u6027\u306b\u95a2\u3059\u308b\u304a\u77e5\u3089\u305b",
"trust": 0.8,
"url": "http://www.hitachi.co.jp/Prod/comp/OSD/pc/flora/information/info0701051.html"
},
{
"title": "Intel\u793e\u88fdLAN\u30c9\u30e9\u30a4\u30d0\u306e\u8106\u5f31\u6027\u306b\u95a2\u3057\u3066",
"trust": 0.8,
"url": "http://prius.jeevessolutions.jp/je/faq.asp?fid=104034"
},
{
"title": "[\u7dca\u6025] Intel\u793e\u88fdLAN\u30c9\u30e9\u30a4\u30d0\u306e\u8106\u5f31\u6027\u306b\u95a2\u3059\u308b\u304a\u77e5\u3089\u305b",
"trust": 0.8,
"url": "http://www.fmworld.net/biz/common/intel/lan-driver/"
},
{
"title": "VU#296681",
"trust": 0.8,
"url": "http://software.fujitsu.com/jp/security/vulnerabilities/vu296681.html"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2006-000813"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2006-6385"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.9,
"url": "http://www.intel.com/support/network/sb/cs-023726.htm"
},
{
"trust": 2.5,
"url": "http://research.eeye.com/html/advisories/published/ad20061207.html"
},
{
"trust": 2.5,
"url": "http://research.eeye.com/html/advisories/upcoming/20060710.html"
},
{
"trust": 2.5,
"url": "http://www.securityfocus.com/bid/21456"
},
{
"trust": 2.5,
"url": "http://www.kb.cert.org/vuls/id/296681"
},
{
"trust": 2.5,
"url": "http://securitytracker.com/id?1017346"
},
{
"trust": 2.5,
"url": "http://secunia.com/advisories/23221"
},
{
"trust": 1.7,
"url": "http://lists.freebsd.org/pipermail/freebsd-security/2006-december/004186.html"
},
{
"trust": 1.7,
"url": "http://securityreason.com/securityalert/2007"
},
{
"trust": 1.4,
"url": "http://xforce.iss.net/xforce/xfdb/30750"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/453852/100/0/threaded"
},
{
"trust": 1.1,
"url": "http://www.fujitsu.com/global/support/software/security/products-f/primergy-200701e.html"
},
{
"trust": 1.1,
"url": "http://www.vupen.com/english/advisories/2006/4871"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/30750"
},
{
"trust": 0.9,
"url": "http://secunia.com/advisories/23221/"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-6385"
},
{
"trust": 0.8,
"url": "http://jvn.jp/cert/jvnvu%23296681/index.html"
},
{
"trust": 0.8,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2006-6385"
},
{
"trust": 0.6,
"url": "http://www.frsirt.com/english/advisories/2006/4871"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/453852/100/0/threaded"
},
{
"trust": 0.3,
"url": "http://support.intel.com/support/network/sb/cs-006120.htm"
},
{
"trust": 0.3,
"url": "http://support.intel.com/support/network/sb/cs-006103.htm"
},
{
"trust": 0.3,
"url": "http://support.intel.com/support/network/adapter/pro100/sb/cs-008402.htm"
},
{
"trust": 0.3,
"url": "http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=migr-67116"
},
{
"trust": 0.3,
"url": "/archive/1/453852"
},
{
"trust": 0.1,
"url": "http://secunia.com/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/12822/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/12821/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/12825/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/12828/"
},
{
"trust": 0.1,
"url": "http://corporate.secunia.com/products/48/?r=l"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/12826/"
},
{
"trust": 0.1,
"url": "http://secunia.com/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/12827/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://corporate.secunia.com/how_to_buy/15/?r=l"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/12824/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/12823/"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#296681"
},
{
"db": "VULHUB",
"id": "VHN-22493"
},
{
"db": "BID",
"id": "21456"
},
{
"db": "JVNDB",
"id": "JVNDB-2006-000813"
},
{
"db": "PACKETSTORM",
"id": "52799"
},
{
"db": "CNNVD",
"id": "CNNVD-200612-151"
},
{
"db": "NVD",
"id": "CVE-2006-6385"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#296681"
},
{
"db": "VULHUB",
"id": "VHN-22493"
},
{
"db": "BID",
"id": "21456"
},
{
"db": "JVNDB",
"id": "JVNDB-2006-000813"
},
{
"db": "PACKETSTORM",
"id": "52799"
},
{
"db": "CNNVD",
"id": "CNNVD-200612-151"
},
{
"db": "NVD",
"id": "CVE-2006-6385"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2006-12-18T00:00:00",
"db": "CERT/CC",
"id": "VU#296681"
},
{
"date": "2006-12-08T00:00:00",
"db": "VULHUB",
"id": "VHN-22493"
},
{
"date": "2006-12-06T00:00:00",
"db": "BID",
"id": "21456"
},
{
"date": "2007-04-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2006-000813"
},
{
"date": "2006-12-07T06:24:29",
"db": "PACKETSTORM",
"id": "52799"
},
{
"date": "2006-12-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200612-151"
},
{
"date": "2006-12-08T01:28:00",
"db": "NVD",
"id": "CVE-2006-6385"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2007-01-19T00:00:00",
"db": "CERT/CC",
"id": "VU#296681"
},
{
"date": "2018-10-17T00:00:00",
"db": "VULHUB",
"id": "VHN-22493"
},
{
"date": "2008-05-06T22:45:00",
"db": "BID",
"id": "21456"
},
{
"date": "2007-06-15T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2006-000813"
},
{
"date": "2006-12-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200612-151"
},
{
"date": "2024-11-21T00:22:33.473000",
"db": "NVD",
"id": "CVE-2006-6385"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "BID",
"id": "21456"
},
{
"db": "PACKETSTORM",
"id": "52799"
},
{
"db": "CNNVD",
"id": "CNNVD-200612-151"
}
],
"trust": 1.0
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Intel network drivers privilege escalation vulnerability",
"sources": [
{
"db": "CERT/CC",
"id": "VU#296681"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200612-151"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…