Shulou(Shulou.com)05/31 Report--

This article shows you how to reproduce and fix the loophole, the content is concise and easy to understand, it can definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

I. introduction of loopholes

The flaw is mainly due to a remote code execution vulnerability in the Windows TCP/IP stack when processing routing broadcast packets of option type 25 (0x19, recursive DNS server option) with even length field values for ICMPv6. An attacker who successfully exploits this vulnerability can execute arbitrary code on the target machine (host or server).

Scope of influence:

Microsoft Windows 10 1709

Microsoft Windows 10 1803

Microsoft Windows 10 1809

Microsoft Windows 10 1903

Microsoft Windows 10 1909

Microsoft Windows 10 2004

Microsoft Windows Server 2019

Microsoft Windows Server, version 1903

Microsoft Windows Server, version 1909

Microsoft Windows Server, version 2004

Second, the analysis of loopholes

A remote code execution vulnerability exists when the Windows TCP / IP stack improperly handles ICMPv6 router advertisement packets that use option type 25 (recursive DNS server option) and have an even number of length field values. In this option, the length is counted in 8-byte increments, so the total length of the RDNSS option with length 3 should be 24 bytes. The option itself contains five fields: the type, length, reservation, lifetime, and address of the IPv6 recursive DNS server. The first four fields always have a total of 8 bytes, but the last field can contain a variable number of IPv6 addresses, each of which is 16 bytes. According to RFC 8106, the length field should always be an odd value of at least 3, and when an even length value is provided, the Windows TCP / IP stack incorrectly reduces the forward amount of the network buffer by 8 bytes. This is because the stack counts internally in 16-byte increments, so the use of non-RFC compatible length values cannot be resolved. This mismatch causes the stack to interpret the last 8 bytes of the current option as the beginning of the second option, resulting in a buffer overflow and potential RCE.

III. Recurrence of loopholes

Recurrence step

1. Enable ipv6 for virtual machine network settings

2. Check the environment

Windows version, press win+r, enter winver in the pop-up window to view the version information

3. Using the script of foreign gods to detect vulnerabilities and no vulnerabilities, the results are as follows:

PowerShell.exe-ExecutionPolicy UnRestricted-File C:\ Users\ user\ Desktop\ new.ps1.ps1

4. Execute ipconfig and check the ipv6 address. Note here that the ipv6 address of the target machine is selected as "ipv6 address" or "temporary ipv6 address".

5. Execute ipconfig and check the ipv6 address. Note here that the ipv6 address of the attack plane is selected as the "local ipv6 address".

6. Run plyload, target blue screen

Poc principle:

Because the processing option type of the Windows TCP/IP stack is 25 (0x19, recursive DNS server option), when forging a routing broadcast packet of ICMPv6 with an even length field value to the target host, Windows TCP/IP will get the offset of each packet according to Length in the process of checking the packet, traversing parsing, resulting in an error in boundary parsing of the Addresses of IPv6 Recursive DNS Servers and the next RDNSS option, thus bypassing verification Parsing the option packet forged by the attacker causes a stack overflow and causes the system to crash.

IV. Repair methods

(1) download the patch officially provided by Microsoft:

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898

(2) users who are inconvenient to install updates, such as the private network, can use the temporary workaround measures officially given by Microsoft:

Disable ICMPv6 RDNSS:

Open PowerShell as an administrator and enter the following command to "display interface parameters"

Netsh int ipv6 show interface

You can query the interfaces that need to be disabled according to this list, and execute the disable command as follows

Netsh int ipv6 set int 8 rabaseddnsconfig=disable

Disable successfully after returning "OK", and the opening method is the same as above. All of the above operations do not need to restart the computer.

The above content is how to reproduce and repair vulnerabilities. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.