adenosine-phosphatase (4)

Last Login: October 15, 2020
Assessments
1
Score
4

adenosine-phosphatase's Contributions (2)

Sort by:
Filter by:
5

@kevthehermit- Actually, the writeups seem to be ok. There are two CVEs :
CVE-2020-16899 that deals with DNSSL (option 31) and CVE-2020-16898 that deals with RDNSS (option 25).

RDNSS defines that length>3 and is even, triggers the exploit.
if option_type == 25 and length > 3 and (length % 2) == 0 then).

DNSSSL lua (CVE-2020-16899) checks the option Type 31 (as you correctly stated) and the DNS name len
if option_type == 31 and length >= 35 then

if dns_name_len >= 264 then.

I am experimenting with CVE-2020-16898 for now and those conditions are met in my Poc, but no crash.
Checked that Windows 2019 has its RA Based Dns Config “enabled” to allow for crash, but no luck…

It may be that some other OPTIONS must follow RDNSS that write up did not outline. (Tried with Type 5 (MTU) and Type 24 (Route information) but no luck with either of them or both of them combined)

3
Technical Analysis

I did a small python script that constructs the ICMPv6 Router advertisement as per advisory : advertisement packet (Type 134) followed by Recursive DNS (Type 25) OPTION and made sure the Length field is an even number> 3 (as RFC and exploit advisory suggest). I added one more OPTION field (Route Information , Type 24) just in case. Launched it against Windows 2019 and it did not crash it. Checked that Wireshark showed properly constructed packet. Any other condition that exploit must satisfy as currently I seem to be missing something?
By the way, when Length field in the Recursive DNS OPTION is any even number, Wireshark indicted malformed packet. When the field is an odd number, packet is properly dissected.