Full Report
This post will cover my journey into the analysis of CVE-2019-0547 (Affecting the windows DHCP client), a vulnerability discovered by Mitch Adair of Microsoft Windows Enterprise Security Team and how I found a new issue in the same function. Part 1Patch extractionPatch diffingProgram flow to the functionDHCP Options0x000x00Part 2Integer overflowNobody respects RFCs0xC0 “compression algorithm”Final conclusions Patch extraction Even though these first steps around patch downloading, extraction and diffing are already heavily documented over the internet, I will cover them here in any case.
Analysis Summary
# Vulnerability: Windows DHCP Client Memory Corruption (CVE-2019-0547 & Follow-up CVE-2019-0726)
## CVE Details
- CVE ID: CVE-2019-0547 (Original vulnerability discussed) and CVE-2019-0726 (Follow-up discovered vulnerability)
- CVSS Score: Not explicitly provided in the text, but the article implies high security relevance as it was a "1day" vulnerability and led to further discovery.
- CWE: Not explicitly provided, but the technical detail points towards Heap-based Buffer Overflow or Integer Overflow resulting in memory corruption.
## Affected Systems
- Products: Windows DHCP Client
- Versions: Windows 10 x64-based Systems Version 1803 (The analysis focused on this specific version receiving KB4480966). Vulnerability likely affects other systems running the affected DHCP client component.
- Configurations: Systems processing crafted DHCP Options data.
## Vulnerability Description
The analysis focused on the Windows DHCP client and a function related to processing DHCP Options.
1. **CVE-2019-0547 (Original Flaw):** Involved an integer overflow issue, potentially related to calculating heap allocation sizes based on DHCP options data. Microsoft applied a patch that introduced a check to prevent heap allocation if the calculated size was zero.
2. **CVE-2019-0726 (Follow-up Discovery):** The researcher found a bypass for the patch of CVE-2019-0547. The original flaw involved incorrect handling of data, including a process that would write a comma (`,`) at `offset-1` if it encountered a null byte (`0x00`). The patch only checked if the calculated size for `HeapAlloc()` was zero *before* allocating memory. By crafting a payload that *starts* with `0x00` (causing the subsequent write offset calculation to wrap around to `0xFFFFFFFF` or similar due to subtraction/offset calculations), the program attempts to write outside the allocated chunk, leading to memory corruption, even after the initial patch.
## Exploitation
- Status: CVE-2019-0547 was a "1day" vulnerability, suggesting exploitation was known or imminent. CVE-2019-0726 was discovered during the patch analysis.
- Complexity: The follow-up exploit (PoC) appears to be of **Medium** complexity to achieve the crash, requiring precise crafting of the DHCP packet contents, specifically triggering a null byte at the control location. The initial control over crash data and location was low, resulting primarily in a Denial of Service.
- Attack Vector: Network (DHCP interaction).
## Impact
Based on the described outcome (memory corruption and freezing network processes):
- Confidentiality: Potential (If memory corruption allows control flow redirection, though the PoC only demonstrated DoS).
- Integrity: High (Arbitrary writes could occur, though the researcher initially only achieved writing a comma byte).
- Availability: High (Results in Denial of Service (DoS) by freezing network-related processes until a reboot or service restart).
## Remediation
### Patches
Patches were issued by Microsoft to address both vulnerabilities:
- **KB4480966:** This security update for Windows 10 Version 1803 addresses CVE-2019-0547 and likely contains the initial fix that the researcher bypassed.
- **Implied Patch for CVE-2019-0726:** A subsequent, or updated, patch must exist to fully address the bypassed condition discovered by the researcher. (Vendor advisory path leads to the general guidance).
### Workarounds
- No specific, immediate technical workarounds (other than installing the patch) are detailed in this excerpt, short of disabling the DHCP client service entirely (which would break network functionality).
## Detection
- Detection methods focus on analyzing DHCP traffic, specifically looking for crafted DHCP Option payloads that trigger the buffer/heap write condition, which would manifest as unexpected memory operations or crashes in the `dhcpcore.dll` component.
- Indicators of Compromise: System freezes impacting network stability, potentially accompanied by process crashes related to DHCP services. A script was provided by the author for testing/playing with the vulnerability.
## References
- Vendor Advisory (CVE-2019-0547): `https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0547`
- Vendor Advisory (CVE-2019-0726): `https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0726`
- Patch Reference: KB4480966 (`https://support.microsoft.com/en-gb/help/4480966/windows-10-update-kb4480966`)
- Proof of Concept Script Link (External): `https://gist.github.com/h3ku/6e1bce8368a53e8ff7adba2c03505fbc`