Shulou(Shulou.com)05/31 Report--

How to carry out Windows DHCPServer remote code execution vulnerability analysis, I believe that many inexperienced people do not know what to do. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

A loophole background

On Feb. 12, Microsoft released its monthly routine security announcement in February, fixing several high-risk vulnerabilities, including Windows DHCP Server remote code execution vulnerability CVE-2019-0626. When an attacker sends a specially crafted packet to the DHCP server and successfully exploits it, arbitrary code can be executed in the DHCP service, with a wide range of vulnerabilities. In view of this loophole, Qimingxing ADLab analyzed it in detail at the first time.

Two vulnerabilities affect the version

Windows 7

Windows 8.1

Windows 10

Windows Server 2008

Windows Server 2012

Windows Server 2016

Windows Server 2019

Brief introduction of the three protocols

DHCP, dynamic host configuration protocol, formerly known as BOOTP protocol, is a local area network protocol. DHCP is usually used to centrally manage and assign IP addresses, so that client can dynamically obtain IP addresses, Gateway addresses, DNS server addresses and other information. The interaction between the DHCP client and the DHCP server is shown in the following figure.

The transmitted DHCP protocol messages should follow the following format:

DHCP contains many types of Option, each Option consisting of three fields: Type, Length, and Data.

The value range of Type is 1-255. Some Type types are shown below.

The DHCP service has a security vulnerability in the Option structure that handles the VendorSpecific type (Type=43). First of all, let's take a look at the Option processing process of the DHCP service program. The ProcessMessage function is responsible for processing the received DHCP messages, and the ExtractOptions function is called to deal with the Option field of DHCP. Parameter 1 (v7) of the function ExtractOptions is the DHCP message pointer, and parameter 3 (* (unsigned int *) (v5 + 16)) corresponds to the pointer offset position + 16 data, that is, the Len field.

The ExtractOption function is shown below. V6 = (unsigned__int64) & A1 [a3-1]; points to the position at the end of the message; v10 points to the Option structure in the message. Different types of Option structures are handled in the for loop. When type=43 (VendorSpecific Information), pass in pointer V10 and pointer V6 as parameters, and call the ParseVendorSpecific function for processing.

The UncodeOption function is called inside the ParseVendorSpecific function. The UncodeOption function parameter A1 points to the starting position of the option, and a2 points to the end of the message. There is a security vulnerability in the UncodeOption function, which is analyzed in combination with POC and patch comparison below.

Four loopholes analysis

Construct a DHCP Discovery message, POC as shown below, and POC contains two Option structures of type vendor_specific. Vendor_specific1 is a legal Option structure, the value of Length 0x0a is equal to the actual length of Data (0x0a), vendor_specific2 is an illegal Option structure, and the value of Length 0x0f is greater than the actual length of Data (0x0a).

(1) the DHCP server receives the Discovery request message and processes the packet. First, the ExtractOptions processing Options is executed, and when the Option of type vendor_specific is processed, it goes to the ParseVendorSpecific for processing. A legal vendor_specific1 is constructed in POC in order to bypass the 84mm 85 lines of check code and make the program execute smoothly to the ParseVendorSpecific function.

(2) ParseVendorSpecific calls the UncodeOption function.

Line a. 32 through 43 calculates the sum of the Length values of the Option structure in the do-while loop and saves it to v13 as the allocated heap memory length. POC contains two vendor_specific structures. first, vendor_specific1 is processed, v13 is calculated, that is, vendor_specific1 length a, and v12 points to the next Option structure vendor_specific2. When entering the 43 lines of while conditional judgment, because the vendor_specific2 length is illegal, the do-while loop ends.

Line B. 48 calls HeapAlloc to allocate heap memory, and the allocated memory size is v13 rooma.

Line c. 51-58 copies the Data in the vendor_specific structure into the allocated heap memory in turn in the for loop. When entering the first loop, v1 points to the vendor_specific1,v8 and points to the end position, satisfying the condition v1

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.