Microsoft has patched a serious vulnerability in the Windows TCP/IP stack that, under some conditions, could enable an attacker to run code on remote machines. The flaw lies in the way that the stack handles large amounts of specially formatted packets sent to a vulnerable machine.
Microsoft officials said that the vulnerability, which is one of a handful of flaws fixed by the company in November’s Patch Tuesday release, is a serious one, but that the scenarios in which it can be exploited for remote code execution are limited. The vulnerability crops up when an attacker sends a large volume of crafted UDP packets to a machine on a port that doesn’t have any service listening on it.
“While processing these network packets it is observed that some used structures are referenced but not dereferenced properly. This unbalanced reference counting could eventually lead to an integer overflow of the reference counter,” Microsoft’s SWIAT team said in a blog post on the vulnerability.
In order for the bug to be exploitable, some specific conditions need to be present. If a dereference happens immediately after the counter has gone back to zero, Windows will free the structure. If that happens, there are four things that can occur, Microsoft said:
• The memory is still mapped and contains the old data. No crash results and the system works as normal.
• The memory is unmapped and the system crashes when it is referenced. This results in a system denial-of-service.
• The memory is re-allocated for the same structure. No crash results and the system works as normal.
• The memory is re-allocated for a different structure. This could result in a system crash, or if attacker-controlled data is present, could lead to memory corruption or remote code execution.
The last scenario in the list is the one that could lead to remote code execution, the company said.
“While the last scenario can theoretically lead to RCE, we believe it is difficult to achieve RCE using this vulnerability considering that the type of network packets required are normally filtered at the perimeter and the small timing window between the release and next access of the structure, and a large number of packets are required to pull off the attack,” Microsoft’s team said.