Author Topic: new Windows feature: ping with remote code execution (CVE-2023-23415)  (Read 953 times)

0 Members and 1 Guest are viewing this topic.

Offline madiresTopic starter

  • Super Contributor
  • ***
  • Posts: 7673
  • Country: de
  • A qualified hobbyist ;)
Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23415

It seems that all current WIndows versions are affected (most likely also old versions out of support). But there's is one prerequisite to exploit the vulnerability, an application needs to be bound to a raw socket.
 
The following users thanked this post: pdenisowski

Offline pdenisowski

  • Frequent Contributor
  • **
  • Posts: 546
  • Country: us
  • Product Management Engineer, Rohde & Schwarz
    • Test and Measurement Fundamentals Playlist on the R&S YouTube channel
Re: new Windows feature: ping with remote code execution (CVE-2023-23415)
« Reply #1 on: March 20, 2023, 02:49:52 pm »
Wow.  Just wow. 
 

Offline MrMobodies

  • Super Contributor
  • ***
  • Posts: 1901
  • Country: gb
Re: new Windows feature: ping with remote code execution (CVE-2023-23415)
« Reply #2 on: March 20, 2023, 04:29:40 pm »
https://nvd.nist.gov/vuln/detail/CVE-2023-23415#vulnConfigurationsArea
Quote
cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19805:*:*:*:*:*:x64:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_10_1507:10.0.10240.19805:*:*:*:*:*:x86:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5786:*:*:*:*:*:x64:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_10_1607:10.0.14393.5786:*:*:*:*:*:x86:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.4131:*:*:*:*:*:arm64:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.4131:*:*:*:*:*:x64:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_10_1809:10.0.17763.4131:*:*:*:*:*:x86:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_10_20h2:10.0.19042.2728:*:*:*:*:*:arm64:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_10_20h2:10.0.19042.2728:*:*:*:*:*:x64:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_10_20h2:10.0.19042.2728:*:*:*:*:*:x86:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_10_21h2:10.0.19044.2728:*:*:*:*:*:arm64:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_10_21h2:10.0.19044.2728:*:*:*:*:*:x64:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_10_21h2:10.0.19044.2728:*:*:*:*:*:x86:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_10_22h2:10.0.19045.2728:*:*:*:*:*:arm64:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_10_22h2:10.0.19045.2728:*:*:*:*:*:x64:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_10_22h2:10.0.19045.2728:*:*:*:*:*:x86:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_11_21h2:10.0.22000.1696:*:*:*:*:*:arm64:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_11_21h2:10.0.22000.1696:*:*:*:*:*:x64:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_11_22h2:10.0.22000.1413:*:*:*:*:*:arm64:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_11_22h2:10.0.22000.1413:*:*:*:*:*:x64:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*
ShowMatchingCPE(s)
cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*
ShowMatchingCPE(s)
 

Online jpanhalt

  • Super Contributor
  • ***
  • Posts: 3378
  • Country: us
Re: new Windows feature: ping with remote code execution (CVE-2023-23415)
« Reply #3 on: March 20, 2023, 04:55:42 pm »
This is all well above my head.  Found that my Windows 7 will support raw sockets by following these directions:
https://learn.microsoft.com/en-us/windows/win32/winsock/tcp-ip-raw-sockets-2?redirectedfrom=MSDN

See attachment.

How can you know whether a raw socket is actually enabled? And, how to disable, if enabled.
 

Online SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14230
  • Country: fr
Re: new Windows feature: ping with remote code execution (CVE-2023-23415)
« Reply #4 on: March 20, 2023, 08:09:41 pm »
Would be interesting to know what the cause is, but I guess we'll never get access to that, it's not open source.
 

Offline madiresTopic starter

  • Super Contributor
  • ***
  • Posts: 7673
  • Country: de
  • A qualified hobbyist ;)
Re: new Windows feature: ping with remote code execution (CVE-2023-23415)
« Reply #5 on: March 21, 2023, 10:09:26 am »
How can you know whether a raw socket is actually enabled?

netstat?
 
The following users thanked this post: jpanhalt

Online jpanhalt

  • Super Contributor
  • ***
  • Posts: 3378
  • Country: us
Re: new Windows feature: ping with remote code execution (CVE-2023-23415)
« Reply #6 on: March 21, 2023, 11:43:43 am »
OK, I ran netstat (portion attached).  There are 4 statused as "ESTABLISHED," one that is "FIN_WAIT_1" and the rest are "TIME_WAIT."  What should one look for?  I see nothing with "RAW" in it.
 

Offline madiresTopic starter

  • Super Contributor
  • ***
  • Posts: 7673
  • Country: de
  • A qualified hobbyist ;)
Re: new Windows feature: ping with remote code execution (CVE-2023-23415)
« Reply #7 on: March 21, 2023, 05:17:49 pm »
The netstat command should have multiple options, but I don't know if the windows netstat is able to list the socket type.
 
The following users thanked this post: jpanhalt

Online jpanhalt

  • Super Contributor
  • ***
  • Posts: 3378
  • Country: us
Re: new Windows feature: ping with remote code execution (CVE-2023-23415)
« Reply #8 on: March 21, 2023, 06:01:20 pm »
Since the RAW was in IPv6 , I used -s to get statistics (attached). Google showed [-w] for socket type = RAW, but: netstat -w just gave a return of allowed extensions of which -w was not one.

Found this from Microsoft:
Quote
For IPv6 (address family of AF_INET6), an application receives everything after the last IPv6 header in each received datagram regardless of the IPV6_HDRINCL socket option. The application does not receive any IPv6 headers using a raw socket.Jan 18, 2022

I can't claim to understand it, but the last sentence seems clear if reliable.

@ madires, Thank you so much.  This is a new word for me.
 

Offline madiresTopic starter

  • Super Contributor
  • ***
  • Posts: 7673
  • Country: de
  • A qualified hobbyist ;)
Re: new Windows feature: ping with remote code execution (CVE-2023-23415)
« Reply #9 on: March 21, 2023, 07:36:34 pm »
If I'm understanding the documentation for raw sockets in Windows correctly, then any ICMP based application would open a raw socket.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf