Thursday 5 September 2024

Weaponizing Windows tcpip.sys "EvilESP" RCE CVE-2022-34718

 Hello everyone, so now I started to write some n days exploits to learn more real world exploitations. I found this blog post by @chompie in which she explained the CVE-2022-34178 very clearly. So , I will follow this blog post and some more resources in making the final exploits. I will document every step from zero to RCE. Once again ,Thanks @chompie.

Recon

So, This CVE was patched in September 2022 patch Tuesday. Lets take a look at the Microsoft advisory of this CVE. 
An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPSec is enabled, which could enable a remote code execution exploitation on that machine.

As usual Microsoft doesn't provides much information but the only thing we get to know from this is that it is related to a IPv6 packet , IPSec and it is a RCE.  So, for getting more info , we have to do patch diffs of the tcpip.sys file before and after patch. We will use Bindiff , binary diffing tool.  It is free and open source.

There is a very handy site that maintains the windows binaries of every update ,Winbindex . You can search for tcpip.sys  file in x64 architecture. 

Here, you can see that the tcpip.sys binaries are shown according to their windows version and KB number. Since we want the binary from September 2022. On the Microsoft advisory page you can see that this patch was released on 13 September. You can click on  show button to get more info about the release date . As we will try this on Windows 22H2, we will look for that.

On clicking on the show  button you can see that this binaries was release on 13 September and the just previous version for that same windows version was released on October. Download these two binaries.
You can any disassembler , I am using Ida Freeware 8.4 sp2 (free) . Load the binaries in IDA and Binexport  the binary so that bindiff can diff it. 

Open bindiff and create a new workspace, File-> New Workspace . Then, click on diff-> new diff and the add the vulnerable and patched file in the primary and secondary diffs.

After the diffs are loaded , click on the matched functions .

Then, click on similarities. 
Here you can see that there is only two functions that has been patched Ipv6ReassembleDatagram and IppReceiveEsp .
The difference in the code in Ipv6ReassembleDatagram and IppReceiveEsp are marked below:

Bug Analysis

To be Continued......