Shulou(Shulou.com)06/02 Report--

How to analyze Windows 10 in the key loophole CVE-2019-0726, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Words written in the front

The update released by Microsoft in January gives the public a new understanding of CVE-2019-0547, a key vulnerability in the DHCP client. The CVSS score for this vulnerability is very high, and Microsoft did not immediately release relevant availability reviews, so it is difficult for users to decide whether to update their systems immediately. But some researchers believe that this loophole is likely to be exploited by a large number of cybercriminals in the near future.

Therefore, in order to better detect attacks against DHCP vulnerabilities and related vulnerabilities, and update our products, we need to understand all the details in depth. And the first thing we need to do is network reconnaissance.

Network investigation

At first we planned to use search engines to find information about the vulnerability, but we didn't find much detail, and most of the content came from security bulletins posted on the MSRC website. However, in the process of browsing these security bulletins, we found that we were facing a memory corruption vulnerability in both client and server systems in Window10 (version 1803), which was triggered when an attacker sent a specially designed response message to the DHCP client.

As we can see, MSRC has a score of 2 and is less likely to be exploited, which means that this vulnerability may not be exploitable or difficult to exploit. However, we still want to see what this loophole is really like through our own analysis.

On this site, we downloaded this security update patch (.msu file), unzipped it, and then looked for files related to the client's processing of DHCP responses. But this is difficult because this patch pack contains all the bug patches fixed in the month, rather than patches for a single vulnerability. In a large number of files, we found several matching code bases with filters, and then compared the versions of the system. Among them, the dhcpcore.dll library is the closest:

In fact, only the DecodeDomainSearchListData function has made major changes, and if you are familiar with the DHCP protocol, you will know that it rarely uses functions.

DecodeDomainSearchListData function

The domain name search option in DHCP is 0x77 (119), which allows the server to set the DNS suffix on the client, but does not apply to Windows devices because previous Windows systems ignored this option. If necessary, the name suffix of the DNS can be configured through group policy. However, Windows 10 introduces a processing library for domain name search options in the new version 1803.

The process of DecodeDomainSearchListData is as follows: first, the information is received from the server, then the data is decoded according to the configuration of the domain name search option. For input, it receives an encapsulated array of data and outputs a string ending with null bytes that contains a comma-separated list of domain names. For example, this function converts the following domain name suffix:

.eng.apple.com

.marketing.apple.com

Eng.apple.com,marketing.apple.com

DecodeDomainSearchListData is called during the processing of UpdateDomainSearchOption and writes the returned list of results to the "DhcpDomainSearchList" parameter of the registry key:

HKLM\ SYSTEM\ CurrentControlSet\ Services\ Tcpip\ Parameters\ Interfaces\ {INTERFACE_GUID}\

Then store the primary parameters on a specific network interface:

The DecodeDomainSearchListData function passes the data twice. For the first time, it performs everything except setting the entry point of the output buffer, that is, calculating the amount of memory needed to save the returned data. The second time, it allocates memory for the data and populates it. This function has about 250 instructions, and the main task is to process the incoming byte stream. It also checks the size of the buffer, if the size is zero, does not allocate memory for the buffer, completes execution and returns an error message:

Therefore, the vulnerability can be triggered only if the target buffer size is 00:00.

Vulnerability exploitation

First, we can use reparse points to ensure that non-empty input data generates and outputs an empty string:

Set up a server to respond to content requests and allow unupdated clients to have access conflicts. In each step, when the function completes part of the domain name resolution, the data is copied to the target buffer:

1) .eng.2) .eng.apple.3) .eng.apple.com.

Next, when a domain name of size 0 appears in the data, the function changes the period in the target buffer to a comma:

4). Eng.apple.com

Then continue to parse:

5) .eng.apple.com, marketing.6) .eng.apple.com, marketing.apple.7) .eng.apple.com, marketing.apple.com.8) .eng.apple.com, marketing.apple.com

After the input data parsing is complete, all that is left is to replace the last comma with an empty character:

9) .eng.apple.com, marketing.apple.com

What happens when an attacker sends buffer data as described above? As we can see, it contains a list made up of an empty string. Then after the function calculates the size of the output data for the first time, the size is zero because the data does not contain a non-zero domain name. On the second pass, it allocates heap memory blocks to the data and copies the data. However, the parsing function immediately encounters an empty character indicating the end of the domain name and changes the period to a comma.

Therefore, if the vulnerability CVE-2019-0726 is to be exploited, an attacker must perform a remote heap spray on the DHCP client and have full control over the heap memory distribution. Otherwise, writing data to an unselected address will cause the svchost.exe process to crash.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.