Why did the DHCP server go to therapy? It had an existential crisis about its vulnerabilities!
Introduction
On Apr 11, 2023 (Patch Tuesday), a vulnerability was identified in some Windows servers running DHCP service, which can cause remote code execution. This vulnerability arises due to improper access to the DHCP v6 Relay-forward message.
DHCP, also known as Dynamic Host Configuration Protocol. As the name suggests, it helps us in dynamically delivering IP addresses to the hosts allowing them to communicate over the network. DHCP works on the client-server request-response model. It works at the application layer, and the IP address assigned by the DHCP server is dynamic in nature and automatically expires if a renewal request is not initiated. It works on the DORA process, which stands for:
D=Discover
O=Offer
R=Request
A=Acknowledge
To gain a deeper understanding of the CVE-2023-28231 vulnerability, it is essential to explore the DHCP's fundamental features and grasp the essential DHCPv6 concepts. The purpose of designing IPv6 was to allow stateless IP address auto configuration. When deployed, the host grabs its IP address without requiring additional protocols such as DHCP. DHCP was used previously by IPV4 only, but as soon as IPV6 came into the picture, DHCPv6 was Introduced. DHCPv6 uses SARR for message exchange instead of DORA, which stands for:
S=Solicit
A=Advertise
R=Request
R=Reply
This process lets clients obtain IPv6 addresses and configuration information from valid DHCPv6 servers.
DHCPv4 | DHCPv6 |
|---|---|
DHCPv4 uses a 32-bit IPv4 address. | DHCPv4 uses a 128-bit IPv6 address. |
DHCPv4 uses IPv4 messages on the LAN. | DHCPv6 uses Router Advertisement and IPv6 multicast messages on the LAN. |
DHCPv4 supports broadcast-based communication for address assignment. | DHCPv6 uses multicast or anycast communication for address assignment. |
DHCPv4 uses a 4-step process for address allocation: Discover, Offer, Request, and Acknowledge (DORA). | DHCPv6 leverages: Solicit/Advertise/Request/Reply (SARR) |
DHCPv4 relies on MAC addresses for client identification. | DHCPv6 employs a unique identifier (DUID) for client identification. |
DHCPv4 does not support stateless address configuration. | DHCPv6 supports both stateful and stateless address configuration. |
DHCPv4 does not have built-in support for security features. | DHCPv6 includes security features such as IPsec for secure communication. |
DHCPv4 is not extensible and does not support options beyond the defined set. | DHCPv6 is extensible and supports the addition of custom options. |
Understanding DHCPv6 relay agents
DHCP clients use local broadcast messages to obtain IP addresses from the DHCP server. Since the default behaviour of the router does not include forwarding the local messages, if the DHCP server is configured outside the local network, the client cannot receive an IP address from the DHCP server. In order to overcome this, a DHCP relay comes into the picture. As it sits between a DHCP server and a client, it allows the DHCP client to get an IP address from the DHCP server, which is not configured on the same Local Area Network.
Heap-based buffer overflow vulnerability
The vulnerability identified in Microsoft DHCPv6 Server stems from improper processing of DHCPv6 relay-forward messages. Specifically, the function responsible for handling Relay-forward messages fails to validate the number of nested Relay-forward messages, leading to a heap-based buffer overflow. This flaw can be exploited by sending a crafted DHCPv6 relay-forward message which contains more than 32 nested characters.
Affected products for CVE-2023-28231 DHCP RCE
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2016
Microsoft Windows Server 2019
Microsoft Windows Server (Server Core installation) 2019
Microsoft Windows Server (Server Core installation) 2016
Microsoft Windows Server (Server Core installation) 2012 R2
Microsoft Windows Server (Server Core installation) 2012
Microsoft Windows Server for X64-based systems 2008 R2 SP1
Microsoft Windows Server for X64-based systems (Server Core installation) 2008 SP2
Microsoft Windows Server for 32-bit systems (Server Core installation) 2008 SP2
Microsoft Windows Server for 32-bit systems 2008 SP2
Microsoft Windows Server for X64-based systems (Server Core installation) 2008 R2 SP1
Microsoft Windows Server 2022
Microsoft Windows Server (Server Core installation) 2022
Microsoft Windows Server for X64-based systems 2008 SP2
Source code analysis
A snippet of the source code from the affected dhcpssvc.dll version 10.0.17763.3469 reveals the vulnerable function, "ProcessRelayForwardMessage()". The code initializes a buffer to store the Relay-forward messages but fails to validate the number of messages, resulting in a buffer overflow. The Trend Micro research team referenced the following code, referencing the vulnerable function, ProcessRelayForwardMessage().
You can view the entire raw assembly code here.
Detection of CVE-2023-28231
For us to detect if such an attack is happening, an instrument must monitor and check the traffic on specific ports. Specifically, if the device finds a message called "DHCPv6 Relay-forward" with a specific value, it should look at all the options within that message. If it finds an option called "Relay Message" with another specific value, it should treat the information in that option as a new message. The device then needs to count how often it encounters these Relay-forward messages. If it finds more than 32 of them, it should be suspicious and assume that an attack is likely in progress. Finally, it's important to note that some values in these messages are stored in a particular way called "network byte order," so the device must convert those values before correctly understanding and comparing them. This is important to keep in mind when analyzing the messages.
Further, the detection device must monitor the traffic on UDP ports 546 and 547 and inspect DHCPv6 packets on UDP port 547. When it sees a DHCPv6 Relay-forward message, which a relay agent sends to other relay agents or servers to request an IP address on behalf of a client, it should examine all the options in that message as stated above. The "new" message will contain DHCPv6 options with information about the client's request for an IP address.
Analysis of POC Code
The patch for CVE-2023-28231 restricts the number of occurrences of a specific message structure in Dynamic Host Configuration Protocol (DHCP) to 0x20 or less. The POC indicates that the DHCPv6 protocol vulnerability trigger condition has been modified to allow unauthorized and unconditional code execution. However, enabling static IPv6 addresses on the server is necessary to exploit the vulnerability.
The researchers also discovered another form of data processing, DHCPv6 broadcast. While monitoring the data reception entry point of the DHCPv6 protocol, they constructed an example of a DHCPv6 broadcast by sending information using GPT’s provided information on DHCPv6-related flags and Wireshark. They attempted to make the messages reach the vulnerable function ProcessRelayForwardMessage. While the other varieties of messages were received directly, The relay forward messages with the critical DHCP flag of 0x0c cannot be received by the top-level processing function DhcpV6ProcessPacket.
In addition to meeting the validation requirements of the vulnerability function itself, it is crucial to ensure that the DHCPv6 relay forward message is correctly validated in "Dhcpv6MessageLoop".
The researchers also found a code path that can trigger the variable where the patch is located after several unsuccessful attempts. However, it is still under determination if everything is resolved. This vulnerability presents a significant security concern as it could result in unauthorized control over the target system. To mitigate this risk, organizations should stay up-to-date with security patches and adopt a proactive approach towards network security. They should monitor their network traffic, including DHCPv6-related packets, and implement access control policies to prevent unauthorized access.
Overall, this PoC highlights the need for continuous vigilance against potential security threats and underlines the importance of thorough testing to identify vulnerabilities in complex systems.
Mitigation of CVE-2023-28231
Upgrade to the latest version of DHCPv6, which has necessary security updates and patches installed.
References:
Register for instructor-led online courses today!
Check out our free programs!
Contact us with your custom pen testing needs at: info@darkrelay.com or WhatsApp.