by Mitja Kolsek, the 0patch Team
January 2022 Windows Updates brought a fix for a local privilege escalation in Windows IKE Extension Remote Code Execution, discovered by Polar Bear. Ten days ago (as of this writing), researchers from 78ResearchLab published an analysis and a POC for this vulnerability. This made it possible for us to create a patch for affected "security-adopted" Windows systems that no longer receive official fixes from Microsoft.
The vulnerability allows a remote attacker to cause memory (heap) corruption on the target computer by sending a malformed ISAKMP packet using the IKE protocol, whereby the VendorID payload is longer than the expected 10h characters. The vulnerable code namely prepares a 10-character buffer on the stack for storing this value, and in case a longer value is provided, the memcpy (memory copy) operation results in memory locations beyond the end of buffer being overwritten with attacker-chosen content. In the absence of a negative proof, such vulnerabilities are assumed to be exploitable for arbitrary code execution (although the POC at hand only results in crashing the process.)
Microsoft assigned this issue CVE-2022-21849 and fixed it by adding a check for the length of the VendorID value: if the length isn't exactly 10h (if the size of the entire payload including the 10h-byte prologue isn't exactly 20h), it ignores this value. Our micropatch with just two CPU instructions is logically equivalent to Microsoft's:
MODULE_PATH "..\AffectedModules\ikeext.dll_10.0.17134.254_Win10-1803_64-bit_u202105\ikeext.dll"
PATCH_ID 1018
PATCH_FORMAT_VER 2
VULN_ID 7502
PLATFORM win64
patchlet_start
PATCHLET_ID 1
PATCHLET_TYPE 2
PATCHLET_OFFSET 0x2d93f
N_ORIGINALBYTES 5
JUMPOVERBYTES 0
PIT IKEEXT.DLL!0x1fb64
code_start
cmp r13d, 20h ; is the size of the VendorID payload equal to 20h?
jne PIT_0x1fb64 ; if not, ignore the value
code_end
patchlet_end
The micropatch was written for the following Versions of Windows with all available Windows Updates installed:
- Windows 10 v2004
- Windows 10 v1903
- Windows 10 v1803
To learn more about 0patch, please visit our Help Center.
We'd like to thank Polar Bear for finding this issue, and 78ResearchLab researchers for publishing their analysis and providing a proof-of-concept that allowed us to reproduce the vulnerability and create a micropatch. We also encourage security researchers to privately share their analyses with us for micropatching.
Article Link: 0patch Blog: Micropatches for Windows IKE Extension Remote Code Execution (CVE-2022-21849)