Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Windows Critical ICMP Remote Code Execution Vulnerability (msrc.microsoft.com)
72 points by lhoff on March 20, 2023 | hide | past | favorite | 13 comments


So any default services bind to raw sockets?

I can't think of any... Which in turn means that most systems probably aren't vulnerable. On windows I think you need admin rights to open a raw socket, which means that only admins can pwn the machine...


What about VPN clients, I'd assume some do?


I know there's some limits to the surface of this... but it seems that could precisely be triggered by certain types of security software, ironically designed to protect such systems. Eww...


It's far easier to find 0-days in antivirus software than in common-used operating systems or servers (IIS, Nginx, ...). The attack surface is huge, the software often very old and written in a memory-unsafe language like C and C++ for performance-reasons.

I reverse engineered some antivirus products myself and the quality of most AVs is pretty bad. AFL (American Fuzzy Lop) without a custom mutator crashed some of them in less than 15 minutes at the most trivial parts like parsing a PE-file.

Also snakeoil-features like "anti-rootkit scanner" just compare hashes (sometimes MD5-hashes) of installed drivers. In past a rootkit could circumvent such scanner with IAT-hooking. In 2023 those scanners are obsolete anyway.

Also antivirus 0-days are far cheaper than for other software.*

* https://zerodium.com/program.html


> To trigger the vulnerable code path, an application on the target must be bound to a raw socket.

What is a "raw socket" in this context?


This means the listening socket was created using SOCK_RAW as opposed to SOCK_STREAM or SOCK_DGRAM. Raw sockets are used for working with ICMP, doing packet sniffing, sending some types of custom TCP packets, etc. Basically anything that isn't UDP or TCP, you'll need a raw socket for.


Historically programs like `ping` and `traceroute` use raw sockets. Using raw sockets requires privilege, which is why those historically have been set-uid on Unix systems.


Indeed. Windows requires elevation for raw sockets as well. The ping binary works without elevation by using the IP Helper Win32 API's ICMP functions: https://learn.microsoft.com/en-us/windows/win32/api/icmpapi/...


https://learn.microsoft.com/en-us/windows/win32/winsock/serv...

And here they explain that if you use SOCK_RAW, you should look out for bad datagrams:

https://learn.microsoft.com/en-us/windows/win32/winsock/tcp-...


So is this a vulnerability in specific raw sockets applications (i.e., you could get it right in the application), or a vulnerability in the Windows kernel's TCP/IP stack that is only exploitable when there is a raw sockets application running?


Raw is a protocol type in the socket api allowing the application to send and receive arbitrary packets (e.g. not packets generated by the system's TCP implementation).


Things like wireshark binds to a raw socket rather than using the Windows API


The sockets API is a Windows API, and Wireshark does not use it. Instead it uses Npcap, a custom kernel driver.

A raw socket allows creation/consumption of bespoke packet types (i.e. not Tcp/Udp). In this case ICMP.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: