来源

关联漏洞

描述

Remote Code Execution Exploit in the RPC Library

介绍

# CVE description
CVE-2022-26809 - weakness in a core Windows component (RPC) earned a CVSS score of 9.8 not without a reason, as the attack does not require authentication and can be executed remotely over a network, and can result in remote code execution (RCE) with the privileges of the RPC service, which depends on the process hosting the RPC runtime. That critcal bug, with a bit of luck, allows to gain access to unpatched Windows host running SMB. The vulnerability can be exploited both from outside the network in order to breach it as well as between machines in the network.

# Who is vulnerable?
- Windows 10 Pro Build 10.0.10240 x64
- Windows 10 Pro Build 10.0.19042 x64
- Windows 10 Pro Build 10.0.19044 x64
- Windows Server 2019 x64
- Windows Server 2022 x64
- Windows 7 SP3 x64

# Locating the vulnerability
The CVE stated that the vulnerabilities lie within the Windows RPC runtime, which is implemented in a library named rpcrt4.dll. This runtime library is loaded into both client and server processes utilizing the RPC protocol for communication. We compared versions 10.0.22000.434 (March) and 10.0.22000.613 (patched) and singled out list of changes.

The functions OSF_SCALL::ProcessResponse and OSF_CCALL::ProcessReceivedPDU are similar in nature; both process RPC packets, but one runs on the server side and the other on the client side (SCALL and CCALL). By diffing OSF_SCALL::ProcessReceivedPDU we noticed two code blocks that were added to the new version.

![163493985-3373746d-6ef5-4079-803c-b8acda5338e9](https://user-images.githubusercontent.com/20278695/163975278-f8a04fdf-22d7-48e9-9caf-f5b49298972e.png)

![163494679-5fc53a11-4f5b-4eda-b185-777af4ae4dd6](https://user-images.githubusercontent.com/20278695/163975316-50bdc459-98b9-4205-a323-a4dee1cda079.png)


Looking at the patched code, we saw that after QUEUE::PutOnQueue a new function was called. Inspecting in on the new function and diving in its code, we figured out it checks for integer overflows. In other words, the new function in patch was added to verify that an integer variable remained within an expected value range.

![163493980-1e060df4-4e9d-454d-bb95-befec63ae22a](https://user-images.githubusercontent.com/20278695/163975337-e936c603-293e-4a45-a284-286265db424a.png)

Diving deeper into the vulnerable code in OSF_SCALL:GetCoalescedBuffer, we noticed that the integer overflow bug could lead to a heap buffer overflow, where data is copied onto a buffer that is too small to populate it. This in turn allows data to be written out of the buffer’s bounds, on the heap. When exploited, this primitive leads us to remote code execution!

A same call to check for integer overflow was added in other functions as well:

OSF_CCALL::ProcessResponse OSF_SCALL::GetCoalescedBuffer OSF_CCALL::GetCoalescedBuffer

The integer overflow vulnerability and the function that prevents it exist in both client-side and server-side execution flows.

# PoC Status
Still in development, no ETA.

文件快照

 [4.0K]  /data/pocs/1a94ff28e424a4c4ca85f8a971deecedfcb0974a
├── [1.2K]  exploit.py
├── [2.9K]  README.md
├── [1.1M]  rpcrt4_new.dll
└── [1.1M]  rpcrt4_old.dll

0 directories, 4 files

备注