Executive Summary

Title PCAUSA Rawether for Windows local privilege escalation
Name VU#600671 First vendor Publication 2017-03-21
Vendor VU-CERT Last vendor Modification 2017-04-21
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 7.2 Attack Range Local
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#600671

PCAUSA Rawether for Windows local privilege escalation

Original Release date: 21 Mar 2017 | Last revised: 21 Apr 2017


PCAUSA's Rawether framework does not properly validate BPF data, allowing a crafted malicious BPF program to perform operations on memory outside of its typical bounds on the driver's receipt of network packets. This vulnerability may be exploited to perform local privilege escalation on Windows systems.


The Rawether framework for Windows, originally produced by Printing Communications Assoc., Inc. (PCAUSA), is a framework that facilitates communication between an application and the Network Driver Interface System (NDIS) protocol. This framework is used by many different hardware vendors in their WiFi and router control applications. Rawether implements the Berkeley Packet Filter (BPF) mechanism. BPF filters are compiled into small programs that are executed by a BPF virtual machine.

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer - CVE-2017-3196

The Rawether framework does not properly validate BPF programs before execution, allowing BPF programs that may read/write arbitrary memory or infinitely loop. The return address on the stack may be overwritten, allowing a local user to execute arbitrary code with SYSTEM privileges.

To enable the vulnerable part of the driver, an exploit has to issue a OID_GEN_CURRENT_PACKET_FILTER NDIS request with NDIS_PACKET_TYPE_ALL_LOCAL flags and set the BPF program. The exploit is triggered by reading the first received network packet.

The researcher has provided a proof of concept affecting the 64-bit version of PcaSp60.sys driver which is part of ASUS PCE-AC56 WLAN Card Utilities. However, other utilities and programs making use of this driver may also be affected. Identifying vulnerable software may be difficult due to variations in driver name, version, or device name or information, but the vulnerable driver is most likely included in OEM WiFi utility programs. Some common default naming convention for the affected drivers include:

  • PcaSp60.sys
  • PcaSp50.sys
  • PcaMp60.sys
  • PcaMp50.sys

    For more information, see the researcher's blog post.

  • Impact

    A local authenticated attacker may be able to execute a malicious BPF program that can execute arbitrary code with SYSTEM privileges.


    Apply an update or uninstall affected software

    Apply an update to any software that makes use of the Rawether driver. Alternately, uninstall any affected software.

    A list of possibly affected vendors is given below and will be updated as we learn more.

    Vendor Information (Learn More)

    VendorStatusDate NotifiedDate Updated
    ASUSTeK Computer Inc.Affected17 Mar 201721 Mar 2017
    Printing Communications Association, Inc.Affected-17 Mar 2017
    DellNot Affected17 Mar 201721 Apr 2017
    AcerUnknown17 Mar 201717 Mar 2017
    Hewlett Packard EnterpriseUnknown17 Mar 201717 Mar 2017
    LenovoUnknown17 Mar 201717 Mar 2017
    Toshiba America Information Systems, Inc.Unknown17 Mar 201717 Mar 2017
    VAIO CorporationUnknown17 Mar 201717 Mar 2017
    If you are a vendor and your product is affected, let us know.

    CVSS Metrics (Learn More)



    • http://blog.rewolf.pl/blog/?p=1778
    • http://cwe.mitre.org/data/definitions/119.html
    • https://www.kernel.org/doc/Documentation/networking/filter.txt
    • https://msdn.microsoft.com/en-us/windows/hardware/drivers/network/introduction-to-ndis-protocol-drivers


    This issue was reported publicly by "ReWolf" (@rwfpl).

    This document was written by Garret Wassermann.

    Other Information

    • CVE IDs:CVE-2017-3196
    • Date Public:15 Mar 2017
    • Date First Published:21 Mar 2017
    • Date Last Updated:21 Apr 2017
    • Document Revision:34


    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Original Source

    Url : http://www.kb.cert.org/vuls/id/600671

    CWE : Common Weakness Enumeration

    % Id Name
    100 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

    CPE : Common Platform Enumeration

    Application 1

    Alert History

    If you want to see full details history, please login or register.
    Date Informations
    2018-01-12 21:24:43
    • Multiple Updates
    2017-12-16 09:23:30
    • Multiple Updates
    2017-04-21 09:22:58
    • Multiple Updates
    2017-03-22 00:21:23
    • First insertion