Winpcap divide by zero and invalid read bugs

rpcap fuzzer / pcap 1 / pcap 2

I'd like to report two remote denial of service vulnerabilities in the
Windows kernel driver when setting or updating a Berkeley Packet Filter
(bpf). Triggering these vulnerabilities results in a blue screen and the
system rebooting.

The bug may be triggered locally by setting a bpf via the driver
interface or remotely by connecting to a rpcapd daemon.

Rpcapd is a nice method of performing remote captures and the ability to
have capture filters makes it some situations more attractive than other
methods like rspans.

The first bug seems to be a divide by zero condition that is not
accounted for in the bpf_validate function which should protect against
such bugs. The second seems to be an integer overflow or invalid read
when handling the ld instruction.

I will attach snippets of the windbg sessions for each vulnerability and
provide the pcap files [1] and [2] for the actual network packets (rpcap
protocol) send to a rpcapd instance.

In each trace file the last packet (#18) is the interesting one as it
sets the capture filter to one that results in a DoS. More precisely the
first item of the capture filter is the culprit for both cases. The
second instruction (ret) is just needed in order to pass as valid bpf
program.

I will also attach a sulley fuzzing script that I used to confirm these
bugs.

Oliver-Tobias Ripka (otr)