Update README.md
This commit is contained in:
@@ -0,0 +1,35 @@
|
||||
# What day-zero dug up in tcpip.sys
|
||||
|
||||
Windows TCP/IP driver, 8,421 functions, no symbols. These are leads, not
|
||||
confirmed bugs — spots worth opening in Ghidra, not proof of anything.
|
||||
|
||||
A length going into `NdisGetDataBuffer`:
|
||||
|
||||
```
|
||||
len = ((arg2 & 0xf) << 2) - 20
|
||||
```
|
||||
|
||||
Low nibble times 4, minus 20 — a header-length field in 4-byte words with a
|
||||
20-byte header subtracted off. Nibble under 5 and it underflows to ~4GB.
|
||||
|
||||
A length walked through four functions, none of them bounding it, from a network
|
||||
entry point down into a packet parser:
|
||||
|
||||
```
|
||||
0x1400557d0 -> 0x140053d04 -> 0x14006323c -> 0x140061850 -> NdisGetDataBuffer
|
||||
```
|
||||
|
||||
Every hop assumes someone else checked it.
|
||||
|
||||
A handful of WFP functions (`WfpBufferCopy`,
|
||||
`WfpHandOffTupleStateToTemporaryAleEntry`) hand an unchecked value straight to
|
||||
`ExAllocatePool2` as the allocation size. One computes it as `(input << 4) + 0x2e`
|
||||
— multiply attacker input by 16, allocate that.
|
||||
|
||||
And the spots that *do* bound the same `(nibble << 2)` length with a proper
|
||||
`<= 0x14` check — flagged as fine, not as findings.
|
||||
|
||||
|
||||
# Usage
|
||||
Easy start:
|
||||
```py binspect.py tcpip.sys --trace```
|
||||
Reference in New Issue
Block a user