adenosine-phosphatase (6)

Last Login: September 18, 2022

adenosine-phosphatase's Latest (3) Contributions

Sort by:
Filter by:
Technical Analysis

I must be missing something as the PoC script * does not execute any exception/BSOD let alone the RCE.

From what I can see, the script does not carry any RCE payload, but I thought it would at least cause some app/os exception.
When I fire it up against w2k19 VPN server, nothing happens.
I would have expected that at least some kind of unhandled exception/BSOD occurred, but nothing …


@kevthehermit- Actually, the writeups seem to be ok. There are two CVEs :
CVE-2020-16899 that deals with DNSSL (option 31) and CVE-2020-16898 that deals with RDNSS (option 25).

RDNSS defines that length>3 and is even, triggers the exploit.
if option_type == 25 and length > 3 and (length % 2) == 0 then).

DNSSSL lua (CVE-2020-16899) checks the option Type 31 (as you correctly stated) and the DNS name len
if option_type == 31 and length >= 35 then

if dns_name_len >= 264 then.

I am experimenting with CVE-2020-16898 for now and those conditions are met in my Poc, but no crash.
Checked that Windows 2019 has its RA Based Dns Config “enabled” to allow for crash, but no luck…

It may be that some other OPTIONS must follow RDNSS that write up did not outline. (Tried with Type 5 (MTU) and Type 24 (Route information) but no luck with either of them or both of them combined)

Technical Analysis

I did a small python script that constructs the ICMPv6 Router advertisement as per advisory : advertisement packet (Type 134) followed by Recursive DNS (Type 25) OPTION and made sure the Length field is an even number> 3 (as RFC and exploit advisory suggest). I added one more OPTION field (Route Information , Type 24) just in case. Launched it against Windows 2019 and it did not crash it. Checked that Wireshark showed properly constructed packet. Any other condition that exploit must satisfy as currently I seem to be missing something?
By the way, when Length field in the Recursive DNS OPTION is any even number, Wireshark indicted malformed packet. When the field is an odd number, packet is properly dissected.