Don't Trust the NIC: Attacking Windows NDIS Drivers

Presented at ekoparty 14 (2018), Sept. 28, 2018, 11:10 a.m. (50 minutes)

Over the last decade, we've gone through a very large number of Windows kernel driver vulnerabilities not only in third party vendor components but also in Microsoft implementations as well. In recent years however, the industry has learnt about the dangers of not sanitizing user supplied values or exposing privileged functionality through driver IOCTLs, graphic's Escapes, and many other interfaces that are now becoming harder to break in most commonly deployed software products. Despite all the security improvements on the most common types of Windows drivers, I have found that NDIS (Network Driver Interface Specification) drivers, installed by widely used hardware NICs and software like VPNs, AVs, and so on, are being excluded from vulnerability assessments. The NDIS library defines a layered architecture, a kernel API and an execution environment which lets protocol drivers communicate with network adapter drivers in a device-independent manner. Lost in its complexity, there lies an interface in all NDIS drivers that seems to be forgotten by attackers. In this presentation, I'll explore some of the internals of NDIS drivers and their attack surface to then demonstrate how easy it is to crash the system with a dumb fuzzer. I'll also show the problems found in major vendor implementations such as BSOD, info leaks and elevation of privileges, this includes the same Microsoft, the Windows Insider bounty program and NDIS.sys.


  • Enrique Nissim
    Enrique Nissim is a Senior Security Consultant at IOActive. His experience and interests include reverse engineering, exploit development, programming and application security. He has also been a regular speaker at other international cybersecurity conferences, including CansecWest, AsiaSecWest, EKOParty, and ZeroNights.


Similar Presentations: