[Mak213]

A change in the way the Windows client enables IP routes to be amended manually is the target of a potentially serious exploit for Vista users only, that Microsoft may now have no choice but to address.

Through SecurityFocus.com last Wednesday, a team of researchers at Phion published a proof of concept that demonstrates how Microsoft's Internet Protocol Helper API could be exploited to trigger a stack buffer overflow, potentially leading to the execution of random code. Unusually, this particular exploit can only be recreated, Phion said in its bulletin, on Windows Vista Enterprise and Ultimate versions, in 32- and 64-bit editions.

The Phion bulletin explicitly says that Windows XP, which also utilizes this API library, is not affected by this problem. The library in question has been in existence since Windows NT 4.0 Service Pack 4, and has been a regular component of successive versions since Windows 98.

Windows Vista was the first client operating system from Microsoft to support IPv6 protocol as a standard feature, although IPv6 remains an option for XP and older clients. It's that distinction which leads to the Vista-specificity of this issue. The IP Helper API gives developers more direct access to the functions necessary for a Windows computer to utilize IP. So naturally, one of the functions included enables a program to establish an IP route for the local computer, and the original form of that function was called CreateIpForwardEntry.

Since the introduction of IPv6 as standard issue, the library had to offer an alternative way to phrase the forward route entry, though it had to also leave the earlier version of the function for backward compatibility. Thus the creation of CreateIpForwardEntry2, an API function that is only workable in Vista. An XP or older client would never make use of it, presumably even with IPv6 intentionally installed.

Thus the situation where the route add command, as Phion illustrated, can be gamed in such a way that it triggers a buffer overflow in Vista but not in XP. Evidently the command utilizes the older API function in XP, and the newer one in Vista.

Source