I'd like to report two remote denial of service vulnerabilities in the
Windows kernel driver when setting or updating a Berkeley Packet Filter
(bpf). Triggering these vulnerabilities results in a blue screen and the
The bug may be triggered locally by setting a bpf via the driver
interface or remotely by connecting to a rpcapd daemon.
Rpcapd is a nice method of performing remote captures and the ability to
have capture filters makes it some situations more attractive than other
methods like rspans.
The first bug seems to be a divide by zero condition that is not
accounted for in the bpf_validate function which should protect against
such bugs. The second seems to be an integer overflow or invalid read
when handling the ld instruction.
I will attach snippets of the windbg sessions for each vulnerability and
provide the pcap files  and  for the actual network packets (rpcap
protocol) send to a rpcapd instance.
In each trace file the last packet (#18) is the interesting one as it
sets the capture filter to one that results in a DoS. More precisely the
first item of the capture filter is the culprit for both cases. The
second instruction (ret) is just needed in order to pass as valid bpf
I will also attach a sulley fuzzing script that I used to confirm these
Oliver-Tobias Ripka (otr)