CVE-2023-28231: RCE in the Microsoft Windows DHCPv6 Service

May 02, 2023 | Trend Micro Research Team

In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Guy Lederfein and Lucas Miller of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Microsoft Windows DHCPv6 Service. This bug was originally discovered by YanZiShuang@BigCJTeam of cyberkl. The vulnerability results from the improper processing of DHCPv6 Relay-forward messages. A network-adjacent attacker can leverage this vulnerability to execute code in the context of the DHCP service. The following is a portion of their write-up covering CVE-2023-28231, with a few minimal modifications.


A heap-based buffer overflow has been reported in Microsoft DHCPv6 Server. The vulnerability is due to improper processing of DHCPv6 Relay-forward messages. A remote attacker can exploit this vulnerability by sending crafted DHCPv6 Relay-forward messages to the target server. Successful exploitation could result in the execution of arbitrary code with administrative privileges.

The DHCPv6 Protocol

The Dynamic Host Configuration Protocol (DHCP) protocol is used to centrally manage and automate the assignment of IP addresses on a network. DHCPv6 is the Dynamic Host Configuration Protocol for IPv6. Although IPv6's stateless address auto-configuration can also be used to acquire an IPv6 address, DHCPv6 may be a more suitable solution to assign addresses, name servers and other configuration information that are configured with DHCP for IPv4.

DHCPv6 uses UDP on ports 547 and 546 for communication. The DHCPv6 protocol is described in RFC 8415. A typical DHCPv6 transaction consists of several DHCPv6 messages exchanged between the client and the server:

[ Client ] ----- Solicit -----> [ Multicast Addresses]
[ Client ] <---- Advertise----- [ Server ]
[ Client ] ----- Request -----> [ Multicast Addresses]
[ Client ] <---- Reply -------- [ Server ]
...
[ Client ] ----- Release -----> [ Multicast Addresses]
[ Client ] <---- Reply -------- [ Server ]

Briefly, the way DHCPv6 work is as follows: before a client obtains an IPv6 address, it sends a Solicit message to the link-scoped multicast address to find a DHCPv6 server. For the DHCPv6 protocol, the value of the link- scoped multicast address is "FF02::1:2". Any DHCPv6 server on the local network may respond with an Advertise message. If the client selects the DHCPv6 server, it sends a Request message to get an IPv6 address and other configuration information. The server responds with a Reply message containing the IPv6 address and other configuration.

The general structure of DHCPv6 messages between clients and servers is shown below:

Offset Length Description
(bytes)
-------------------------------------
0x00 1 msg-type
0x01 3 transaction-id
0x04 var options

The msg-type field is DHCPv6 message identifier. The value of the msg-type field for Solicit, Advertise, Request, Renew, and Reply messages are 1, 2, 3, 5, and 7, respectively. The options field of a DHCPv6 message contains a sequence of option fields.

The general structure of an option field is as follows:

Offset Length Description
(bytes)
-------------------------------------
0x00 2 option-code
0x02 2 option-length (N)
0x04 N option-data

To allow a DHCP client to send a message to a DHCP server that is not attached to the same link, a DHCP relay agent on the client's link will relay messages between the client and server. This relay agent acts as an intermediary to deliver DHCP messages between clients and servers. In certain configurations, there may be more than one relay agent between clients and servers, so a relay agent may send DHCP messages to another relay agent.

The general structure of messages between a relay agent and other relay agents and servers is shown below:

Offset Length Description
(bytes)
-------------------------------------
0x00 1 msg-type
0x01 1 hop-count
0x02 16 link-address
0x12 16 peer-address
0x22 var options

This format is shared by the two relay agent messages: Relay-forward and Relay-reply. Specifically, for Relay-forward messages, the msg-type field is set to RELAY-FORW (12) and the options field must include a Relay Message option. The Relay Message option has its option-code field set to OPTION_RELAY_MSG (9), and its option-data contains the received message.

The Vulnerability

A heap-based buffer overflow has been reported in Microsoft DHCPv6 Server. The vulnerability is due to improper processing of DHCPv6 Relay-forward messages. The DHCPv6 server runs as a svchost.exe service and follows the DHCPv6 protocol to supply IPv6 addresses for the network devices on the system. When the server receives a Relay-forward message, it is processed by the function ProcessRelayForwardMessage() within dhcpssvc.dll. This function initializes a 1664-byte heap buffer, which is an array of 32 structures of size 52 bytes for each nested Relay- forward message encountered. The function also initializes a counter used to count the number of nested Relay- forward messages encountered. While processing the outer Relay-forward message, each time a nested Relay- forward message is encountered within a Relay Message option, the array of structures is filled at the appropriate offset and the counter is incremented. However, no validation is done to ensure that the counter does not exceed the maximum expected number of hops, 32. Therefore, if more than 32 nested Relay-forward messages are included in a Relay-forward message, the function will write to an offset exceeding the size of the allocated buffer, resulting in a buffer overflow.

A remote attacker can exploit this vulnerability by sending crafted DHCPv6 Relay-forward messages containing more than 32 nested Relay-forward messages to the target server. Successful exploitation could result in the execution of arbitrary code. Since the service runs as NETWORK SERVICE, after a compromise, an attacker could escalate to SYSTEM.

Source Code Walkthrough

The following code snippet was taken from dhcpssvc.dll version 10.0.17763.3469. Comments added by Trend Micro have been highlighted.

From function ProcessRelayForwardMessage():

ProcessRelayForwardMessage+EC loc_180070924:
; pointer to array of structures
ProcessRelayForwardMessage+EC lea rcx, [rdi+644h] ; void *
; initialize counter to 0
ProcessRelayForwardMessage+F3 mov [rdi+0CC4h], eax
ProcessRelayForwardMessage+F9 xor edx, edx ; Val
ProcessRelayForwardMessage+FB mov r8d, 680h ; Size
; initialize array of structures
ProcessRelayForwardMessage+101 call memset_0
[... Truncated for readability ...]
ProcessRelayForwardMessage+251 loc_180070A89:
ProcessRelayForwardMessage+251 cmp bl, 0Ch
ProcessRelayForwardMessage+254 jnz loc_180070CC9
ProcessRelayForwardMessage+25A cmp esi, 22h ; '"'
ProcessRelayForwardMessage+25D jb loc_18007098C
; read counter value
ProcessRelayForwardMessage+263 mov edx, [rdi+0CC4h]
ProcessRelayForwardMessage+269 mov ecx, r8d
ProcessRelayForwardMessage+26C movzx eax, byte ptr [r14+1]
ProcessRelayForwardMessage+271 sub ecx, edx
ProcessRelayForwardMessage+273 cmp ecx, eax
ProcessRelayForwardMessage+275 jnz loc_180070C83
ProcessRelayForwardMessage+27B movups xmm0, xmmword ptr [r14]
ProcessRelayForwardMessage+27F sub esi, 22h ; '"'
ProcessRelayForwardMessage+282 add r13d, 22h ; '"'
; multiply counter value by 52
ProcessRelayForwardMessage+286 imul rcx, rdx, 34h ; '4'
; write to array of structure at offset calculated
; buffer overflow occurs here
ProcessRelayForwardMessage+28A movups xmmword ptr [rcx+rdi+644h], xmm0
ProcessRelayForwardMessage+292 movups xmm1, xmmword ptr [r14+10h]
ProcessRelayForwardMessage+297 movups xmmword ptr [rcx+rdi+654h], xmm1
ProcessRelayForwardMessage+29F movzx eax, word ptr [r14+20h]
ProcessRelayForwardMessage+2A4 add r14, 22h ; '"'
ProcessRelayForwardMessage+2A8 mov [rcx+rdi+664h], ax
ProcessRelayForwardMessage+2B0 mov r10, cs:WPP_GLOBAL_Control
ProcessRelayForwardMessage+2B7 test esi, esi
ProcessRelayForwardMessage+2B9 jle loc_180070C31
[... Truncated for readability ...]
ProcessRelayForwardMessage+3F9 loc_180070C31:
ProcessRelayForwardMessage+3F9 jnz loc_18007091A
ProcessRelayForwardMessage+3FF test r15, r15
ProcessRelayForwardMessage+402 jz loc_18007091A
; increment counter
ProcessRelayForwardMessage+408 inc dword ptr [rdi+0CC4h]
ProcessRelayForwardMessage+40E movzx ecx, word ptr [r15+2] ; netshort
ProcessRelayForwardMessage+413 call cs:__imp_ntohs
ProcessRelayForwardMessage+41A nop dword ptr [rax+rax+00h]
ProcessRelayForwardMessage+41F mov r8d, dword ptr [rsp+98h+var_58]
ProcessRelayForwardMessage+424 lea r14, [r15+4]
ProcessRelayForwardMessage+428 mov r15d, [rsp+98h+arg_0]
ProcessRelayForwardMessage+430 mov r9d, 4
ProcessRelayForwardMessage+436 add r13d, r9d
ProcessRelayForwardMessage+439 movzx esi, ax
; continue loop iteration
ProcessRelayForwardMessage+43C jmp loc_1800709A6

Detection Guidance

To detect an attack exploiting this vulnerability, the detection device must monitor and parse traffic on UDP ports 546 and 547 and be capable of inspecting DHCPv6 packets on UDP port 547.

The general structure of DHCPv6 messages between clients and servers and the general structure of an option field is shown above. The general structure of messages between a relay agent and other relay agents and servers is also shown above.

If a DHCPv6 Relay-forward message is found, meaning the value of its msg-type field is 12, the detection device must iterate through each option present in the options field. For each option, if the option is of type Relay Message, meaning the value of its option-code field is 9, the detection device must parse its option-data field as a new message. If the total number of Relay-forward messages encountered is greater than 32, the traffic should be considered suspicious; an attack exploiting this vulnerability is likely underway.

Note that all multi-byte values are in network byte order.

Conclusion

Microsoft addressed this vulnerability in April 2023 and assigned the vulnerability CVE-2023-28231. While they state that exploitation is unlikely, we do have working Proof-of-Concept (PoC) code available. Microsoft provides no other workaround apart from applying the available fix. This is the only suggested action to address the vulnerability. While DHCP is not a routable protocol, it is still recommended to apply the update once tested.

Special thanks to Guy Lederfein and Lucas Miller of the Trend Micro Research Team for providing such a thorough analysis of this vulnerability. For an overview of Trend Micro Research services please visit http://go.trendmicro.com/tis/.

The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.