2026-07-06 20:06:53 +00:00
2026-07-06 18:50:37 +00:00
2026-07-06 19:47:34 +00:00

What day-zero dug up in tcpip.sys

Windows TCP/IP driver, 8,421 functions, no symbols. These are leads, not confirmed bugs — spots worth opening in Ghidra, not proof of anything.

A length going into NdisGetDataBuffer:

len = ((arg2 & 0xf) << 2) - 20

Low nibble times 4, minus 20 — a header-length field in 4-byte words with a 20-byte header subtracted off. Nibble under 5 and it underflows to ~4GB.

A length walked through four functions, none of them bounding it, from a network entry point down into a packet parser:

0x1400557d0 -> 0x140053d04 -> 0x14006323c -> 0x140061850 -> NdisGetDataBuffer

Every hop assumes someone else checked it.

A handful of WFP functions (WfpBufferCopy, WfpHandOffTupleStateToTemporaryAleEntry) hand an unchecked value straight to ExAllocatePool2 as the allocation size. One computes it as (input << 4) + 0x2e — multiply attacker input by 16, allocate that.

And the spots that do bound the same (nibble << 2) length with a proper <= 0x14 check — flagged as fine, not as findings.

Usage

Easy start: py binspect.py tcpip.sys --trace

How I made it

Been working on it since a few months. Hope it's useful for your research!

Contributions

Contributions are welcome, just fork it, edit it and do a Pull Request!

Disclaimer & License

Friendly Reminder: reuploads, translations, and edits without permission will get you striked. You know who you are. I know who you are. So don't do it please

S
Description
Find unstated assumptions
Readme 63 KiB
Languages
Python 100%