Microsoft Remote Procedure Call Runtime 远程代码执行漏洞（CVE-2024-26809）

• https://www.pwndefend.com/2022/04/14/cve-2022-26809/

影响范围

测试易受攻击的主机：

• Microsoft Microsoft Windows RT 8.1
• Microsoft Microsoft Windows 8.1 for x64-based systems
• Microsoft Microsoft Windows 8.1 for 32-bit systems
• Microsoft Microsoft Windows 7 for x64-based Systems SP1
• Microsoft Microsoft Windows 7 for 32-bit Systems SP1
• Microsoft Microsoft Windows 10 for x64-based Systems
• Microsoft Microsoft Windows 10 for 32-bit Systems
• Microsoft Microsoft Windows 10 21H2 for x64-based Systems
• Microsoft Microsoft Windows 10 21H2 for ARM64-based Systems
• Microsoft Microsoft Windows 10 21H2 for 32-bit Systems
• Microsoft Microsoft Windows 10 21H1 for x64-based Systems
• Microsoft Microsoft Windows 10 21H1 for ARM64-based Systems
• Microsoft Microsoft Windows 10 21H1 for 32-bit Systems
• Microsoft Microsoft Windows 10 20H2 for x64-based Systems
• Microsoft Microsoft Windows 10 20H2 for ARM64-based Systems
• Microsoft Microsoft Windows 10 20H2 for 32-bit Systems
• Microsoft Microsoft Windows 10 1909 for x64-based Systems
• Microsoft Microsoft Windows 10 1909 for ARM64-based Systems
• Microsoft Microsoft Windows 10 1909 for 32-bit Systems
• Microsoft Microsoft Windows 10 1809 for x64-based Systems
• Microsoft Microsoft Windows 10 1809 for ARM64-based Systems
• Microsoft Microsoft Windows 10 1809 for 32-bit Systems
• Microsoft Microsoft Windows 10 1607 for x64-based Systems
• Microsoft Microsoft Windows 10 1607 for 32-bit Systems
• Microsoft Microsoft Windows 11 for x64-based Systems
• Microsoft Microsoft Windows 11 for ARM64-based Systems
• Microsoft Microsoft Windows Server 20H2(Server Core Installation)
• Microsoft Microsoft Windows Server 2022(Server Core installation)
• Microsoft Microsoft Windows Server 2022
• Microsoft Microsoft Windows Server 2019(Server Core installation)
• Microsoft Microsoft Windows Server 2019
• Microsoft Microsoft Windows Server 2016(Server Core installation)
• Microsoft Microsoft Windows Server 2016
• Microsoft Microsoft Windows Server 2012(Server Core installation)
• Microsoft Microsoft Windows Server 2012 R2(Server Core installati
• Microsoft Microsoft Windows Server 2012 R2
• Microsoft Microsoft Windows Server 2012
• Microsoft Microsoft Windows Server 2008 R2 for x64-based Systems
• Microsoft Microsoft Windows Server 2008 R2 for x64-based Systems
• Microsoft Microsoft Windows Server 2008 for x64-based Systems SP2
• Microsoft Microsoft Windows Server 2008 for x64-based Systems SP2
• Microsoft Microsoft Windows Server 2008 for 32-bit Systems SP2(Se
• Microsoft Microsoft Windows Server 2008 for 32-bit Systems SP2

几乎所有运行 SMB 并开放 445 端口的构建都会受到影响。

漏洞定位

CVE 表示，漏洞位于 Windows RPC 运行时中，该运行时在名为 rpcrt4.dll 的库中实现。该运行时库被加载到使用 RPC 协议进行通信的客户端和服务器进程中。我们比较了版本 10.0.22000.434（3 月）和 10.0.22000.613（已修补）并挑选出更改列表。

OSF_SCALL::ProcessResponse 和 OSF_CCALL::ProcessReceivedPDU 函数本质上是相似的；两者都处理 RPC 数据包，但一个在服务器端运行，另一个在客户端运行（SCALL 和 CCALL）。通过区分 OSF_SCALL::ProcessReceivedPDU，我们注意到新版本中添加了两个代码块。

![(img-n0fGkT05-1652320262417)(https://user-images.githubusercontent.com/102196277/163494679-5fc53a11-4f5b-4eda-b185-777af4ae4dd6.png)]](https://img-blog.csdnimg.cn/ed3bbab1622844a19e58fca158cb5eb2.png)

查看修补后的代码，我们看到在 QUEUE::PutOnQueue 之后调用了一个新函数。检查新函数并深入研究它的代码，我们发现它检查整数溢出。换句话说，patch 中的新函数被添加来验证整数变量是否保持在预期值范围内。

深入研究 OSF_SCALL:GetCoalescedBuffer 中的易受攻击代码，我们注意到整数溢出错误可能导致堆缓冲区溢出，其中数据被复制到太小而无法填充的缓冲区。这反过来又允许在堆上将数据写入缓冲区边界之外。当被利用时，这个原语会导致我们远程执行代码！

在其他函数中也添加了相同的用于检查整数溢出的调用：

OSF_CCALL::ProcessResponse OSF_SCALL::GetCoalescedBuffer OSF_CCALL::GetCoalescedBuffer

整数溢出漏洞和防止它的功能存在于客户端和服务器端执行流程中。

漏洞分析

https://www.youtube.com/watch?v=GGlwy3_jVYE

CVE-2022-26809 PoC

CVE-2022-26809 EXP

自行购买

https://satoshidisk.com/pay/CFNsN8

修复建议