{"uuid": "2a0ceb95-2824-4402-abc1-5c8c4f5f223e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-38063", "type": "published-proof-of-concept", "source": "https://t.me/tengkorakcybercrewz/3934", "content": "Hackers Arise Using the Brand New IPv6 Exploit to DoS a Windows System \nWelcome back, my aspiring cyberwarriors!\n\n\n\n\nRecently, security researchers discovered a critical vulnerability in the Windows IPv6 packet processing system, which was subsequently assigned the identifier CVE-2024-38063. This vulnerability can lead to a denial of service, as well as remote code execution (RCE) via specially crafted IPv6 packets. \n\n\n\n\nUnlike many vulnerabilities that require user interaction or specific software to be installed, CVE-2024-38063 can potentially be exploited remotely with no user interaction, making it particularly dangerous. In this guide, we&apos;ll delve into the technical details of CVE-2024-38063 and explore how it can be exploited.\n\n\n\n\n\n\n\nVulnerability Details\n\n\n\n\nTo understand CVE-2024-38063, we need to delve into the intricacies of how Windows handles IPv6 packets. The vulnerability arises from a complex interplay of packet processing mechanisms within the Windows TCP/IP stack.\n\n\n\n\n\n\n\nWindows employs a technique called packet coalescing, where it combines multiple IP packets for batch processing. This is generally done to improve network performance. When processing these coalesced packets, Windows first handles the extension headers for each packet before moving on to the packet data itself.\n\nDuring this process, Windows creates a linked list of packet objects. Each of these objects contains what&apos;s called a NET_BUFFER, which holds the actual packet data, along with a current-offset field. This field indicates how far the packet has been parsed.\n\n\n\n\nThe vulnerability comes into play when processing a specific type of extension header called \"destination options.\" If an error occurs while parsing this header, it triggers an error handling function. This function is supposed to \"revert\" the buffered packet data to its starting point and reset the current-offset field to zero. However, there&apos;s a crucial flaw in this process: only the first packet in the linked list gets marked as having an error.\n\n\n\n\nThis is where things get interesting. Despite this error, the system continues to parse extension headers of other packets in the list, even if they&apos;ve been \"reverted.\" As a result, the system ends up processing unexpected data. Instead of pointing to the extension headers as it should, the packet data now points to the IPv6 header. Moreover, the offset field is zero instead of its expected value (typically 0x28).\n\n\n\n\nThe real trouble starts when the system processes fragment extension headers. To calculate the length of non-header data, it subtracts a fixed value (0x30) from the current offset. But remember, our offset is now incorrectly set to zero. This subtraction causes an underflow, resulting in a very large length value.\n\nIn certain timeout scenarios, this large length value gets used in 16-bit calculations. This causes an integer overflow, which ultimately leads to a buffer overflow when copying data. It&apos;s this buffer overflow that opens the door for potential DoS and arbitrary code execution.\n\n\n\n\nExploitation Strategy\n\n\n\n\nThe exploitation strategy takes advantage of the \u201cIpv6pReceiveFragment\u201d function and involves the following steps:\n\n\n\n\n1. \nSend malformed destination options to trigger \u201cIppSendError\u201d.\n\n2. \nFollow with a fragment packet.\n\n3. \nExploit packet coalescing to reset data and offset of the second packet.\n\n4. \nCause an underflow in \u201cIpv6pReceiveFragment\u201d, creating a reassembly object with a high 16-bit fragment data length.\n\n5. \nWait for 1 minute to trigger \u201cIpv6pReassemblyTimeout\u201d.\n\n6. \nCause an integer overflow in the buffer size calculation, leading to a heap-based buffer overflow.\n\n\n\n\n\nExploitation\n\n\n\n\nFor this guide, we&apos;ll be using a Python script that implements the CVE-2024-38063 exploit developed by ynwarcs.\n\n\n\n\nStep 1: Set Up the Environment\n\n\n\n\nFirst, we ne[...]", "creation_timestamp": "2024-09-03T22:43:46.000000Z"}