Ticker

6/recent/ticker-posts

Windows Remote Kernel Exploitation via IPv6


In window, recently Microsoft disclosed a critical vulnerability CVE-2024-38063. This vulnerability impacts the TCP/IP protocol, a core communication framework that connects devices over the Internet and supports essential services such as the World Wide Web and email.With a CVSS score of 9.8 Critical, it can be exploited remotely and it has potential to be "wormable" that can spread across the network without requiring user interaction. the vulnerability allow an attacker to execute arbitrary remote code (RCE) on a system that have IPv6 Enabled, which is the default setting of Windows.

This vulnerability affects many systems, including Windows 10, Windows 11 and Window severer from 2008 to 2022.


What do we discuss in this article?

> Microsoft IPv4/IPv6 Rce explained
> Affected Systems
> Proof of Concept
> Steps to mitigate

Microsoft IPv4/IPv6 RCE Expalined

The vulnerability specially target the ipv6 subsystem that was patched by Microsoft on 13 August 2024, this vulnerability allow attackers to exploit RCE due to improper handling of specially crafted network packets, The vulnerability lies in the way these packets are processed, leading to a buffer overflow that can enable attackers to execute arbitrary code on the affected machine.

The vulnerability is rooted in how fragmented IPv6 packets are processed. When these packets arrive at their destination, they should be reassembled into their original form. However, the Windows kernel’s approach to this reassembly process can be exploited. By sending a large number of specially crafted packets each with manipulated extension headers an attacker can overwhelm the system. This overload causes the kernel to mishandle memory, leading to a buffer overflow, where data spills over its allocated space. This overflow creates a pathway for attackers to inject and execute malicious code.

Affected version of windows
The vulnerability affects a wide range of Windows operating systems which have IPv6 Enabled.

Windows10
Windows 11
Windows Server (2008-2022)
By default, IPv6 is enabled in all Windows operating systems and vulnerable to CVE-2024-38063.

Proof of Concept
IPv6 Extension headerIPv6 extension headers contain supplementary reports used by network devices (such as routers, switches, and endpoint hosts) to decide how to direct or process an IPv6 packet. The length of each extension header is an integer multiple of 8 octets. This allows subsequent extension headers to use 8-octet structures

The Poc is like that crafting a malicious IPv6 packet then fragmenting the packet and flooding it to the system.
Poc is publicly here you can check it also if you want to study deeply you can check this security researcher

Step 1 : Crafting a malicious IPv6 Packet
first = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)])
The attacker crafted a IPv6 malicious packet with IPv6 Extension header This header, usually harmless, is stuffed with carefully chosen data that will cause problems when the kernel tries to process it. The packet is designed to look like any other network traffic, but inside it carries a payload that can confuse the system.

Step 2: Fragmented packet 
When packet is created next step is to fragment it.  IPv6 supports packet fragments so that the large packet fragmented into small pieces, sent over network and then reassemble when receiving  
second = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 1, offset = 0) / 'aaaaaaaa'
third = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 0, offset = 1)

By fragmenting the packet, the attacker introduces a level of complexity that the Windows kernel fails to manage properly. Normally, these fragments would be harmlessly reassembled into the original packet. However, when the packet includes the previously mentioned malicious extension headers, the reassembly process becomes a minefield. The Windows kernel’s mishandling of this process leads to memory corruption—a precursor to more severe exploits like remote code execution.

Step3 :  Flooding the system 

After getting done all packet are ready to send to target 

final_ps = []

for _ in range(num_batches):

    for i in range(num_tries):

        final_ps += get_packets(i) + get_packets(i) 

 By sending a large number of these fragmented, malicious packets, the attacker increases the likelihood that the kernel will process them in a way that triggers the vulnerability. This high-traffic scenario is crucial because it helps create the race conditions needed to exploit the flaw effectively. 

Steps to mitigate

> Update Windows Systems
> Disable IPv6 feature 

> Monitor for Anomalous IPv6 Traffic

Always update your system to patch vulnerabilities. 


This information is helpful to you make sure to save bookmarks of our blog for more amazing content and join our Telegram channel to get the latest updates.
Want to be a certified hacker and gain hands-on offensive hacking experience from zero to hero?

Join Complete Offensive-Hacking Course Today To Get 10% Special Off