πŸ”’
❌
There are new articles available, click to refresh the page.
Yesterday β€” 5 October 20220patch Blog

Micropatches for Windows IKE Extension Remote Code Execution (CVE-2022-34721)

5 October 2022 at 12:45

by Mitja Kolsek, the 0patch Team


September 2022 Windows Updates brought a fix for a remote code execution vulnerability in Windows IKE Extension discovered by Yuki Chen with Cyber KunLun. Soon after that, researchers from 78ResearchLab published an analysis and POC for this vulnerability. This made it possible for us to create a patch for affected "security-adopted" Windows systems that no longer receive official fixes from Microsoft.

The vulnerability is in the code responsible for handling IKEv1 (Internet Key Exchange version 1) key exchange protocol, which is deprecated but still supported for legacy reasons. It is a memory corruption issue, with the POC causing the svchost.exe process hosting the IKEEXT service to crash by attempting to read data beyond an allocated buffer. The crash only occurs with page heap (a debugging accessory) enabled for the process, while in a typical production configuration, the vulnerability could potentially be used for arbitrary code execution (as confirmed by Microsoft's advisory).

Microsoft assigned this issue CVE-2022-34721 and fixed it by adding a check for the length of incoming data, and bypassing the processing of such data if the length is too small. Our micropatch is logically equivalent to Microsoft's:



MODULE_PATH ".\ikeext.dll"
PATCH_ID 1000009
PATCH_FORMAT_VER 2
VULN_ID 1000010
PLATFORM win64

patchlet_start
Β Β  Β PATCHLET_ID 1
Β Β  Β PATCHLET_TYPE 2
Β Β  Β PATCHLET_OFFSET 0x2d131
Β Β  Β N_ORIGINALBYTES 5
Β Β  Β JUMPOVERBYTES 0
Β Β  Β PIT ikeext!0xaafd8,ikeext!0x2d1c0,ikeext!0x2d14f
Β Β  Β ; 0xaafd8 -> IkeCopyIncomingData
Β Β  Β ; 0x2d1c0 -> first WfpMemFree block
Β Β  Β ; 0x2d14f -> jump to NtohHeader in same block as patch
Β Β  Β 
Β Β  Β code_start
Β Β  Β Β Β Β 
Β Β  Β Β Β Β  mov r8d, 1ChΒ Β Β  Β Β Β  ; number of characters to copy; for memcpy in IkeCopyIncomingData
Β Β  Β Β Β Β  lea rcx, [rbp-30h]Β  ; new buffer; for memcpy in IkeCopyIncomingDataΒ Β  Β Β Β Β  mov rdx, r14Β Β Β  Β Β Β Β Β Β  ; buffer to copy from; for memcpy in IkeCopyIncomingData
Β Β  Β Β Β Β  call PIT_0xaafd8Β Β Β  ; call IkeCopyIncomingData
Β Β  Β Β Β Β  mov rbx, raxΒ Β Β  Β Β Β  ; save return from IkeCopyIncomingData
Β Β  Β Β Β Β  test rax, raxΒ Β Β  Β Β  ; check if return from IkeCopyIncomingData is non-zero
Β Β  Β Β Β Β  jnz PIT_0x2d1c0Β Β Β Β  ; jump to WfpMemFree block if non-zero
Β Β  Β Β Β Β 
Β Β  Β Β Β Β  lea rcx, [rbp-30h]Β  ; buffer with copied data
Β Β  Β Β Β Β  jmp PIT_0x2d14fΒ Β Β Β  ; jmp to NtohHeader in same block as patch
Β Β  Β Β Β Β 
Β Β  Β code_end
patchlet_end

Β 

This video demonstrates the effect of our micropatch. With 0patch disabled, launching the POC against a vulnerable computer causes a svchost.exe process to crash due to memory access violation. With 0patch enabled, the vulnerability is no longer there, the malformed IKEv1 packet is blocked, and the service doesn't crash.


Β 

The micropatch was written for the following Versions of Windows with all available Windows Updates installed:

  1. Windows 10 v2004
  2. Windows 10 v1909
  3. Windows 10 v1903
  4. Windows 10 v1809
  5. Windows 10 v1803Β 
  6. Windows 7 without ESU, with year 1 of ESU and with year 2 of ESU
  7. Windows Server 2008 R2 without ESU, with year 1 of ESU and with year 2 of ESU
Β 
Β 
This micropatch has already been distributed to all online 0patch Agents with a PRO or Enterprise license. To obtain the micropatch and have it applied on your computers along with our other micropatches, create an account in 0patch Central, install 0patch Agent and register it to your account with a PRO or Enterprise subscription. Note that no computer restart is needed for installing the agent or applying/un-applying any 0patch micropatch.

To learn more about 0patch, please visit our Help Center. For a trial or demo please contact [email protected].

We'd like to thank Yuki Chen for finding this issue, and 78ResearchLab researchers for publishing their analysis and providing a proof-of-concept that allowed us to reproduce the vulnerability and create a micropatch. We also encourage security researchers to privately share their analyses with us for micropatching.


  • There are no more articles
❌