CVE-2022-26809 – weakness in a core Windows component (RPC) earned a CVSS score of 9.8 not without a reason, as the attack does not require authentication and can be executed remotely over a network, and can result in remote code execution (RCE) with the privileges of the RPC service, which depends on the process hosting the RPC runtime. That critcal bug, with a bit of luck, allows to gain access to unpatched Windows host running SMB. The vulnerability can be exploited both from outside the network in order to breach it as well as between machines in the network.
Who is vulnerable?
Tested vulnerable hosts:
- Windows 10 Pro Build 10.0.10240 x64
- Windows 10 Pro Build 10.0.19042 x64
- Windows 10 Pro Build 10.0.19044 x64
- Windows Server 2019 x64
- Windows Server 2022 x64
- Windows 7 SP3 x64
We will update that list later. We suspect almost all builds with running SMB and open 445 port will suffer.
Locating the vulnerability
The CVE stated that the vulnerabilities lie within the Windows RPC runtime, which is implemented in a library named rpcrt4.dll. This runtime library is loaded into both client and server processes utilizing the RPC protocol for communication. We compared versions 10.0.22000.434 (March) and 10.0.22000.613 (patched) and singled out list of changes.
The functions OSF_SCALL::ProcessResponse and OSF_CCALL::ProcessReceivedPDU are similar in nature; both process RPC packets, but one runs on the server side and the other on the client side (SCALL and CCALL). By diffing OSF_SCALL::ProcessReceivedPDU we noticed two code blocks that were added to the new version.
Looking at the patched code, we saw that after QUEUE::PutOnQueue a new function was called. Inspecting in on the new function and diving in its code, we figured out it checks for integer overflows. In other words, the new function in patch was added to verify that an integer variable remained within an expected value range.
Diving deeper into the vulnerable code in OSF_SCALL:GetCoalescedBuffer, we noticed that the integer overflow bug could lead to a heap buffer overflow, where data is copied onto a buffer that is too small to populate it. This in turn allows data to be written out of the buffer’s bounds, on the heap. When exploited, this primitive leads us to remote code execution!
A same call to check for integer overflow was added in other functions as well:
OSF_CCALL::ProcessResponse OSF_SCALL::GetCoalescedBuffer OSF_CCALL::GetCoalescedBuffer
The integer overflow vulnerability and the function that prevents it exist in both client-side and server-side execution flows.
Proof of concept in action.
CVE-2022-26809 download exploit
As mentioned at the beginning, CVE-2022-26809 was given such a high CVSS score because it is zero-click. This means it can go unnoticed by the user and potentially by the security team as well. Such a powerfull tool should not be fully public, there is strictly limited 25 copies for sale at fair price: https://satoshidisk.com/pay/CFScHf – 10 out of the 25 POCs have been sold therefore the price has changed
This should attract attention to importance of cyber security, it can be tempting to ignore, or palm it off to the IT team. But both of these options can leave you susceptible to real and damaging risks.
Do not resell !
Do not publish !
Following mitigations, based on Microsoft’s official advisories and our work:
- Apply the latest security updates !
- Recommended to block traffic to TCP port 445 for devices outside of the perimeter !
- Allow incoming TCP port 445 only on machines where it is needed !
This project is intended for educational purposes ONLY and cannot be used for law violation or personal gain.
Do not use it without permission.
The authors of this project is not responsible for any damages caused by direct or indirect use of the information or functionality provided by those script.