In window, recently Microsoft disclosed a critical vulnerability CVE-2024-38063. This vulnerability impacts the TCP/IP protocol, a core communication framework that connects devices over the Internet and supports essential services such as the World Wide Web and email.With a CVSS score of 9.8 Critical, it can be exploited remotely and it has potential to be "wormable" that can spread across the network without requiring user interaction. the vulnerability allow an attacker to execute arbitrary remote code (RCE) on a system that have IPv6 Enabled, which is the default setting of Windows.
This vulnerability affects many systems, including Windows 10, Windows 11 and Window severer from 2008 to 2022.
What do we discuss in this article?
Microsoft IPv4/IPv6 RCE Expalined
The vulnerability specially target the ipv6 subsystem that was patched by Microsoft on 13 August 2024, this vulnerability allow attackers to exploit RCE due to improper handling of specially crafted network packets, The vulnerability lies in the way these packets are processed, leading to a buffer overflow that can enable attackers to execute arbitrary code on the affected machine.
The vulnerability is rooted in how fragmented IPv6 packets are processed. When these packets arrive at their destination, they should be reassembled into their original form. However, the Windows kernel’s approach to this reassembly process can be exploited. By sending a large number of specially crafted packets each with manipulated extension headers an attacker can overwhelm the system. This overload causes the kernel to mishandle memory, leading to a buffer overflow, where data spills over its allocated space. This overflow creates a pathway for attackers to inject and execute malicious code.
first = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)])
second = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 1, offset = 0) / 'aaaaaaaa'third = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 0, offset = 1)
By fragmenting the packet, the attacker introduces a level of complexity that the Windows kernel fails to manage properly. Normally, these fragments would be harmlessly reassembled into the original packet. However, when the packet includes the previously mentioned malicious extension headers, the reassembly process becomes a minefield. The Windows kernel’s mishandling of this process leads to memory corruption—a precursor to more severe exploits like remote code execution.
Step3 : Flooding the system
After getting done all packet are ready to send to target
final_ps = []
for _ in range(num_batches):
for i in range(num_tries):
final_ps += get_packets(i) + get_packets(i)
By sending a large number of these fragmented, malicious packets, the attacker increases the likelihood that the kernel will process them in a way that triggers the vulnerability. This high-traffic scenario is crucial because it helps create the race conditions needed to exploit the flaw effectively.
Steps to mitigate
> Update Windows Systems> Disable IPv6 feature
> Monitor for Anomalous IPv6 Traffic