Skip to content

Latest commit

 

History

History
92 lines (60 loc) · 5.55 KB

README.md

File metadata and controls

92 lines (60 loc) · 5.55 KB

CVE-2024-38063 - Windows TCP/IP Remote Code Execution Vulnerability Research

Comprehensive research to save you time, energy, sanity, & understanding. I want to start this off by saying that this specific CVE is like many in that due to its high severity score, it has gained an enormous amount attention in a short amount of time. Resulting in alot of false information, & malicious activities surrounding it. The original researcher that discovered it would be Wei.

This includes, but is not limited to malware-based PoC's that have been posted to GitHub meant to look like genuine PoC's.

As such, I will be sharing only valid, non-misleading PoC's in this repo to help further research, & understanding.

As the name suggests, this vulnerability only affects Windows, so if you use something else then this doesn't apply to you directly.

I will also be sharing mitigation strategies for anyone that would like to protect their systems from this vulnerability.

Overall Censys Summary

Issue Description:

This is a zero-click, wormable vulnerability in the IPv6 TCP/IP stack of Microsoft Windows enables attackers to remotely execute arbitrary code on affected systems without any user interaction.

Asset Description:

The issue impacts Microsoft Windows versions that support IPv6. It is particularly risky for internet-facing Windows servers and user devices with IPv6 enabled.

Vulnerability Impact:

If successfully exploited, this vulnerability could allow attackers to remotely execute arbitrary code, which might result in a full system compromise, unauthorized data access, and/or exposure of sensitive information.

Exploitation Details:

The flaw is located in the IPv6 TCP/IP component of the Windows networking stack. Attackers can exploit this vulnerability by sending specially crafted IPv6 packets to a target machine, enabling RCE without user interaction.

Patch Availability:

Microsoft has issued a security update for this vulnerability as part of the August 2024 Patch Tuesday.
It is crucial for organizations to apply this update promptly to mitigate risks.
If immediate patching isn’t feasible, disabling IPv6 on affected Windows systems can help reduce the attack surface until the patch is applied.

My Own Research, Insights, & Recommendations

Disabling IPv6 on only a firewall level will have zero effect at preventing this vulnerability.

Attempting to reproduce this vulnerability can be a little tedious at first, & it is valid to say that this vulnerability is a zero-click vulnerabilty in the IPv6 TCP/IP stack of Microsoft Windows. Affecting many versions of Windows 10, 11, & Windows server.

This RCE vulnerability doesn't allow for you to execute shellcode, but rather triggers an integer underflow that results in a remote memory corruption. This would effectively disrupt services on the vulnerable device. The proof of concepts presented online that are genuine, such as that from Marcus Hutchins(@MalwareTech), & ynwarcs suggest that this could end up being an exploit used in the wild as a sort of Denial of Service(DoS) vulnerability in the weeks/months to come.

However, the PoC mentioned above has one flaw, in that you don't need to spam the packets as many as it does to get the intended result. Some have proposed only using just as little as two packets to get the intended result, however, that implementation isn't always reliable. In my testing with a live, unpatched, Windows machine, in a 60 second window, it takes about 25 packets minimum to always get the result we are expecting. Still, significantly less than the original design, which you could say is an improvement. As it still exponentially increases the memory space to coalesc, causing the memory corruption in the kernel, end users see a blue screen.

Mitigations

If your not able to update your systems with the latest patches for whatever reason, then your next best bet would be to disable IPv6 on all network interfaces to limit the attack surface for this exploit significantly, however, don't use this as a long-term solution as it could break the functionality of your system potentially.

You would have to run this powershell script as administrator, & save it with script.ps1:

# Check if the script is running with admin privileges
If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
    # Restart script with admin privileges
    $arguments = "& '" + $myInvocation.MyCommand.Definition + "'"
    Start-Process powershell.exe -ArgumentList $arguments -Verb RunAs
    Exit
}

# Disable IPv6 on all network interfaces
Get-NetAdapterBinding -ComponentID ms_tcpip6 | Where-Object {$_.Enabled -eq $true} | ForEach-Object {
    Disable-NetAdapterBinding -Name $_.Name -ComponentID ms_tcpip6
}

# Optional: Confirm that IPv6 has been disabled
Write-Host "IPv6 has been disabled on all network interfaces."

I'll be updating this GitHub repo for the next couple weeks with more research, updates, & other valid mitigation options.

Research Sources, & Links