Professional Documents
Culture Documents
Windows Internet Key (IKE) Remote Code Excusion Vulnerability Analysis
Windows Internet Key (IKE) Remote Code Excusion Vulnerability Analysis
EXECUTIVE SUMMARY
CYFIRMA research team observed a series of exploits active in the wild targeting
Windows Internet Key Exchange (IKE) Protocol Extensions. We believe with moderate
confidence that this vulnerability is being utilized by the threat actors to target almost
1000+ systems that are still vulnerable.
From underground forums, the CYFIRMA Research team also observed unknown
hackers sharing the exploit link which could be used to target vulnerable systems.
INTRODUCTION
A critical vulnerability has been identified in Microsoft Windows Internet Key Exchange
(IKE) Protocol Extensions. This vulnerability (CVE-2022-34721) affects unknown code of
the IKE Protocol Extensions component, manipulation of which leads to remote code
execution (RCE). Its vectors are summarized as follows:
• Attack Vector (AV) is Network
• Confidentiality (C) is High
• Integrity (I) is High
• Availability (A) is High
KEY TAKEAWAYS
• The vulnerability lies in the code used to handle IKEv1 (Internet Key
Exchange) protocol, which is deprecated but compatible with legacy
systems.
• The POC exploits a memory corruption issue with the svchost of the
vulnerable system. Memory corruption occurs when Page
Heap (a debugging plug-in) in the system is enabled for the Internet Key
Exchange process. The exe process hosting the Internet Key
Exchangeprotocol service crashes while attempting to read
data beyond an allocated buffer.
VULNERABILITY AT A GLANCE
Windows Internet Key Exchange (IKE) Remote Code Execution
CVE-2022-34721
Description
The vulnerability is caused by a flaw in the Internet Key Exchange (IKE) Protocol
Extensions component. An attacker could exploit this vulnerability to execute
arbitrary code on the system, by sending a specially crafted IP packet to a
Windows node where IPSec is enabled.
The vulnerability only impacts IKEv1 and IKEv2 is not impacted. However, all
Windows Servers are affected because they accept both V1 and V2 packets
thereby making the flaw critical.
AFFECTED VERSIONS
EXPLOIT ANALYSIS
CYFIRMA Research team carried out an exploit analysis of this vulnerability.
Details are as below:
• Sockets and the socket API are used to send messages across a network. They
provide a form of inter-process communication (IPC).
• Time for maintaining the time Python has a module named time to handle time-
related tasks.
• AF_INET is an address family that is used to designate the type of addresses that your
socket can communicate with (in this case, Internet Protocol v4 addresses).
• SOCK_DGRAM. Provides datagrams, which are connectionless messages of a fixed
maximum length.
sock.sendto(raw(pkt), target)
PROOF OF CONCEPT
The following sections showcase the POC details.
CRASH LOGS
Following are the log details of the memory corruption in svchost caused by the POC.
C++
0:005> r
rax=0000017a08459000 rbx=0000000000000000 rcx=00000008905fef70
rdx=ffffffffffffc000 rsi=00000008905feff0 rdi=0000017a08456f10
rip=00007ffb9e48d138 rsp=00000008905fef30 rbp=00000008905fefa0
r8=0000000000000000 r9=0000000000000000 r10=0000017a08459000
r11=0000017a08459000 r12=0000000000000000 r13=0000017a0843cb80
r14=0000017a08456f20 r15=0000000000000001
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
ikeext!IkeQueueRecvRequest+0x158:
00007ffb`9e48d138 0f1000 movups xmm0,xmmword ptr [rax]
ds:0000017a`08459000=????????????????????????????????
0:005> dq @rax
0000017a`08459000 ????????`???????? ????????`????????
0000017a`08459010 ????????`???????? ????????`????????
0000017a`08459020 ????????`???????? ????????`????????
0000017a`08459030 ????????`???????? ????????`????????
0000017a`08459040 ????????`???????? ????????`????????
0000017a`08459050 ????????`???????? ????????`????????
0000017a`08459060 ????????`???????? ????????`????????
0000017a`08459070 ????????`???????? ????????`????????
0:005> k
Campaign Details
CYFIRMA research observed campaign “ 流血你” translating to “bleed you”
suspected to be launched on 6 September 2022 targeting weak/vulnerable
Windows OS, Windows Servers, Windows protocols, and services. The Unknown
Chinese Threat Actors identified these systems are running weak/vulnerable,
which could be exploited using existing exploits.
Target Industries
Target Geographies
Motivation
Exfiltration of sensitive information for financial gains, and gaining elevated
access, cause operational disruption.
TTPs
Exploiting a weakness in the systems, Potential malware & ransomware attacks,
and Lateral movement into the organization.
CONCLUSION
Analysis done by CYFIRMA research on Windows Internet Key Exchange (IKE)
Protocol Extensions Remote Code Execution vulnerability provides a
detailed understanding of what POC attackers could utilize to exploit this
vulnerability. Readers should also take note of the ETLM campaign details
uncovered and being tracked by CYFIRMA.