Vigil@nce - Windows: denial of service via Ipv4SetEchoRequestCreate
August 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can interrupt the sending of an ICMP ECHO request in
order to stop the kernel.
Severity: 1/4
Creation date: 24/08/2010
DESCRIPTION OF THE VULNERABILITY
The IcmpSendEcho() of the Windows API sends an IPv4 ICMP ECHO.
When sending a packet via IcmpSendEcho(), the
Ipv4SetEchoRequestCreate() of the tcpip.sys driver is called.
However, when the call is interrupted by an exception, a locked
memory page is not released leading to a bug-check stopping the
kernel.
An attacker can therefore interrupt the sending of an ICMP ECHO
request in order to stop the kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Windows-denial-of-service-via-Ipv4SetEchoRequestCreate-9875