On October 13th, 2020, Microsoft launched a patch for a crucial vulnerability (CVE-2020-16898) within the IPv6 stack, able to inflicting BSOD (Blue Display screen of Loss of life). The vulnerability, codenamed “Unhealthy Neighbor”, is a bug within the IPv6 Neighbor Discovery Protocol, notably it’s improper dealing with of ICMPv6 Router Commercial Packets. Whereas publicly accessible proof of idea (PoC) code leads to a denial of service, attackers can exploit this bug to carry out distant code execution (RCE). This mixed with ease of exploitation has earned this vulnerability a CVSS v3 rating of 8.8.
Vulnerability Particulars and Evaluation
This vulnerability outcomes from improper dealing with of ICMPv6 Router Ads with Recursive DNS Server choices (RDNSS) and a good size area worth. In keeping with RFC 8106 the size choice for RDNSS is in models of Eight octets with a minimal worth of three for one IPv6 tackle and each extra RDNSS tackle will increase the size by 2. This area is used to find out the variety of IPv6 addresses within the choice (See Determine 1 under). The addresses area is a variable area that determines the quantity addresses which is the same as (Size-1)/2. Every IPv6 tackle is 16 bytes in size and every requires the size area to be larger than Three and an odd quantity.
zero 1 2 3
zero 1 2 Three four 5 6 7 Eight 9 zero 1 2 Three four 5 6 7 Eight 9 zero 1 2 Three four 5 6 7 Eight 9 zero 1
| Kind | Size | Reserved |
| Lifetime |
: Addresses of IPv6 Recursive DNS Servers :
Determine 1: RDNSS Choice Format
By Sending an RDNSS choice with a good size, we ship an IPv6 tackle worth which is Eight bytes in need of the required 16 bytes main the TCP/IP stack to imagine it’s the begin of a second choice resulting in buffer overflow or a possible RCE. The Home windows driver tcpip.sys fails to parse this sort of request with a good choice leading to a denial of service or a BSOD. Tcpip.sys is a home windows driver that’s used to speak amongst gadgets by setting the properties of TCP/IP.
McAfee Labs has an amazing write up explaining the vulnerability, which we advocate studying. This hyperlink additionally has an in depth rationalization of how the exploit works in addition to a proof of idea that we used for exhibiting exploitation within the video under.
As we all know Unhealthy Neighbor lets the final Eight bytes of the RDNSS choice to be interpreted as the primary bytes of a brand new choice. The PoC makes use of this misinterpretation and contains Routing Info Choice (sort = 24) with max size as the brand new choice. As these Eight bytes are initially subjected to be a part of the IPv6 tackle of the RDNSS choice it doesn’t bear validation that features a dimension of size test. Lastly, the packet is fragmented (See Determine 2 under) to verify NdisGetDataBuffer will write the whole lot into the storage buffer. The storage buffer is a static buffer of 0x20 bytes is unable to deal with all of the packets inflicting buffer overflow resulting in BSOD.
Determine 2: Exploit Packet Fragmentation
This vulnerability can’t be exploited over the Web and the /GS(Buffer Safety Verify) Buffer safety exploit mitigation makes it extraordinarily laborious to carry out code execution on trendy Home windows working programs. Weaponizing this to make it wormable is not going to be trivial. Nevertheless, it’s nonetheless potent for denial of service.
The easiest way to guard your system at present is by making use of Microsoft’s October Patch Tuesday updates. If you’re unable to patch you must disable ICMPV6 RDNSS with the next Powershell command.
netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable
This workaround is simply accessible for Home windows 1709 and above and doesn’t require a reboot. It must be famous that this disables RA-based DNS configuration. Please check with Microsoft Safety Advisory for extra particulars.
Trustwave Safety Testing Providers prospects can detect if this vulnerability is patched through authenticated scans. Moreover, Trustwave IDPS prospects are additionally lined with new alert signatures for this exploit.
To establish potential exploit makes an attempt, look out for Router Commercial (RA) packets (sort =134) with the RDNSS choice (choice sort = 25) (See Determine Three under). Flag those who have a good worth in its size area. Additionally, make certain the size is not less than 3. In instances that attempt to exploit the buffer overflow be careful for fragmented IPv6 packets adopted by the Router Commercial (See Determine 2 above). Moreover, a payload dimension larger than 100 bytes is usually a good indication of exploitation. A Home windows loader shellcode may be fairly small however will almost certainly push the payload previous 100 bytes. As all the time, monitor your personal networks to baseline what’s regular to finest implement this kind of detection.
Determine 3: Unhealthy Neighbor exploit packet