new Windows feature: ping with remote code execution (CVE-2023-23415)

• new Windows feature: ping with remote code execution (CVE-2023-23415)
  Posted by madires on 20 Mar, 2023 14:15
• Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23415
  
  It seems that all current WIndows versions are affected (most likely also old versions out of support). But there's is one prerequisite to exploit the vulnerability, an application needs to be bound to a raw socket.
• #1 Reply
  Posted by pdenisowski on 20 Mar, 2023 14:49
• Wow.  Just wow. 
• #2 Reply
  Posted by MrMobodies on 20 Mar, 2023 16:29
• https://nvd.nist.gov/vuln/detail/CVE-2023-23415#vulnConfigurationsArea
  

  Quote

  cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19805:*:*:*:*:*:x64:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19805:*:*:*:*:*:x86:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5786:*:*:*:*:*:x64:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5786:*:*:*:*:*:x86:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.4131:*:*:*:*:*:arm64:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.4131:*:*:*:*:*:x64:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.4131:*:*:*:*:*:x86:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_10_20h2:10.0.19042.2728:*:*:*:*:*:arm64:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_10_20h2:10.0.19042.2728:*:*:*:*:*:x64:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_10_20h2:10.0.19042.2728:*:*:*:*:*:x86:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_10_21h2:10.0.19044.2728:*:*:*:*:*:arm64:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_10_21h2:10.0.19044.2728:*:*:*:*:*:x64:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_10_21h2:10.0.19044.2728:*:*:*:*:*:x86:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_10_22h2:10.0.19045.2728:*:*:*:*:*:arm64:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_10_22h2:10.0.19045.2728:*:*:*:*:*:x64:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_10_22h2:10.0.19045.2728:*:*:*:*:*:x86:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_11_21h2:10.0.22000.1696:*:*:*:*:*:arm64:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_11_21h2:10.0.22000.1696:*:*:*:*:*:x64:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_11_22h2:10.0.22000.1413:*:*:*:*:*:arm64:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_11_22h2:10.0.22000.1413:*:*:*:*:*:x64:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*
  ShowMatchingCPE(s)
  cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*
  ShowMatchingCPE(s)
• #3 Reply
  Posted by jpanhalt on 20 Mar, 2023 16:55
• This is all well above my head.  Found that my Windows 7 will support raw sockets by following these directions:
  https://learn.microsoft.com/en-us/windows/win32/winsock/tcp-ip-raw-sockets-2?redirectedfrom=MSDN
  
  See attachment.
  
  How can you know whether a raw socket is actually enabled? And, how to disable, if enabled.

  ---

  
• #4 Reply
  Posted by SiliconWizard on 20 Mar, 2023 20:09
• Would be interesting to know what the cause is, but I guess we'll never get access to that, it's not open source.
  
• #5 Reply
  Posted by madires on 21 Mar, 2023 10:09
• Quote from: jpanhalt on 20 Mar, 2023 16:55

  How can you know whether a raw socket is actually enabled?
  

  
  netstat?
• #6 Reply
  Posted by jpanhalt on 21 Mar, 2023 11:43
• OK, I ran netstat (portion attached).  There are 4 statused as "ESTABLISHED," one that is "FIN_WAIT_1" and the rest are "TIME_WAIT."  What should one look for?  I see nothing with "RAW" in it.

  ---

  
• #7 Reply
  Posted by madires on 21 Mar, 2023 17:17
• The netstat command should have multiple options, but I don't know if the windows netstat is able to list the socket type.
• #8 Reply
  Posted by jpanhalt on 21 Mar, 2023 18:01
• Since the RAW was in IPv6 , I used -s to get statistics (attached). Google showed [-w] for socket type = RAW, but: netstat -w just gave a return of allowed extensions of which -w was not one.
  
  Found this from Microsoft:
  

  Quote

  For IPv6 (address family of AF_INET6), an application receives everything after the last IPv6 header in each received datagram regardless of the IPV6_HDRINCL socket option. The application does not receive any IPv6 headers using a raw socket.Jan 18, 2022

  
  I can't claim to understand it, but the last sentence seems clear if reliable.
  
  @ madires, Thank you so much.  This is a new word for me.

  ---

  
• #9 Reply
  Posted by madires on 21 Mar, 2023 19:36
• If I'm understanding the documentation for raw sockets in Windows correctly, then any ICMP based application would open a raw socket.