CVE-2024-38063 Analysis: How a Single Packet Can Take Over Your Computer

[Friend]

Experts have analyzed a critical vulnerability in the TCP/IP driver.

Security researcher Marcus Hutchins published a paper analyzing CVE-2024-38063, a critical vulnerability in Windows 10/11 that allows remote code execution (RCE) over IPv6 packets. The vulnerability received a CVSS score of 9.8, highlighting its danger.

In his report, Hutchins describes how he has been studying the vulnerability since the release of the last Windows patch on August 13. He noted that this vulnerability affects the most easily accessible part of the Windows kernel - the driver responsible for processing TCP/IP packets.

tcpip.sys

"It took a moment to analyze the patch to identify changes in the code. Only one feature change was made, which confirmed the presence of a vulnerability. It was the easiest patch analysis I've ever done," Hutchins writes.

Ipv6pProcessOptions()

Despite the ease of detecting the vulnerability, the process of reverse engineering and developing a working exploit turned out to be much more difficult. The researcher spent weeks parsing the code and testing various scenarios. He created a proof-of-concept (PoC) that triggers a DoS attack but does not lead to full remote code execution.

"I wanted to publish a working PoC for DoS, but it turned out to be extremely difficult to reliably trigger the bug, which makes it unsuitable for widespread use," Hutchins notes.

However, another researcher, @ynwarcs, managed to find a way to exploit the vulnerability, which is confirmed by the PoC he published. This code is available at the link here.

Hutchins concludes the report by emphasizing the importance of studying such vulnerabilities and sharing his experience:

"I learned a lot from working on this study, and I hope the article was useful to you as well," he concludes.

Source