November 16, 2024 by @DKob & @N3TCR4SH

A critical flaw with a 9.8 CVSS score (CRITICAL) in the Windows TCP/IP stack has transformed IPv6 from a revolutionary upgrade into an unexpected gateway for remotely compromising any Windows machine with IPv6 enabled. (IPv6 is enabled by default) Buried deep within the kernel, this vulnerability allows attackers to trigger 0-click RCE or DoS attacks. The implications are significant: no user interaction is required, just carefully crafted packets that exploit weaknesses in IPv6. This article examines how this vulnerability has evolved into a potent tool for exploiting Windows systems. {CVE-2024-38063}

<aside> <img src="https://prod-files-secure.s3.us-west-2.amazonaws.com/b0edf093-4014-4603-af27-b4044f283218/6993b574-96b5-46e6-90f5-a7aea46521fa/gettyimages-517398572sq.jpg" alt="https://prod-files-secure.s3.us-west-2.amazonaws.com/b0edf093-4014-4603-af27-b4044f283218/6993b574-96b5-46e6-90f5-a7aea46521fa/gettyimages-517398572sq.jpg" width="40px" />

“Technological progress has merely provided us with more efficient means for going backwards”

~ Aldous Huxley

</aside>

CVE - CVE-2024-38063

CVE Information

• Proof Of Concept: https://github.com/Dragkob/CVE-2024-38063

• Affected Systems

How it works

This explanation will be presented in two parts: first, a general overview, followed by a detailed technical analysis for those seeking a deeper understanding.

General Overview

• This vulnerability is exceptionally critical due to its location: at the core of the Windows kernel, within one of the most easily accessible components of the operating system. At the core of the issue is the way the Windows kernel processes IPv6 extension headers. IPv6 was created to solve IPv4’s address exhaustion problem and introduced several enhancements, including extension headers. These headers enable additional instructions to be embedded within packets, enhancing flexibility but also increasing complexity.

• The following diagrams illustrates the structure of IPv6 and its extension headers. Our primary focus is on the extension headers, specifically the 'Hop-by-Hop Options' and 'Destination Options' headers.

• When mishandled, IPv6 extension headers can introduce critical vulnerabilities. CVE-2024-38063 highlights a flaw in the way the Windows kernel processes fragmented IPv6 packets.

Title: IPv6 Header | Source: CSTALEEM

Title: Extension Headers | Source: Wikipedia

• Normally, these fragmented packets are reassembled at their destination to restore the original data. However, the kernel’s handling of this process is flawed. By sending numerous packets with specifically crafted and manipulated extension headers, an attacker can cause the system to become overwhelmed. This results in memory mismanagement and ultimately a buffer overflow, where excess data spills into unintended memory areas. This overflow opens the door for attackers to inject and execute arbitrary code. (It’s actually an integer underflow that causes this buffer overflow - more details in the technical analysis if you’re interested.)

• This concludes the general overview. For a deeper understanding of how this vulnerability functions and the reverse-engineering process behind it, please proceed to the technical analysis. Alternatively, you can skip ahead to the PoC video and code available at the end of the article.

Technical Analysis {Reverse Engineering the Patch}

• In addition to what has already been discussed, it is important to note that Microsoft’s fix for this issue involved modifications to tcpip.sys, the kernel driver responsible for managing TCP/IP packets.

  • Before proceeding further, we would like to extend our gratitude to Marcus Hutchins for his research, which inspired us to undertake this investigation and reverse-engineer the issue ourselves. For a detailed, highly technical (kernel/assembly) breakdown of the process, we encourage you to check out his article here. We will not reiterate the different explanations discussed in Marcus' article (Just a short overview of them), as he has already addressed them. Although we arrived at similar findings using Ghidra for reverse-engineering, we will refrain from duplicating his discoveries.

• The modification made to tcpip.sys involves a line of code in the function Ipv6pProcessOptions(), indicating that the issue was specifically related to this line prior to the patch. Based on the function's name, we can deduce that the problem was associated with the IPv6 Options headers. Before the patch, the Ipv6pProcessOptions() function only called a function named IppSendError**List**(). After the patch, however, it now also calls IppSendError() if a certain condition is met. This suggests that, under certain conditions, the data is sometimes sent as part of a list, and other times not.