From 71c8aba2358014b0a99d5c75008eb39e994736f6 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Thu, 23 Apr 2026 19:11:20 +0000 Subject: [PATCH] Add content from: CVE-2026-33824: Remote Code Execution in Windows IKEv2 --- .../ipsec-ike-vpn-pentesting.md | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/src/network-services-pentesting/ipsec-ike-vpn-pentesting.md b/src/network-services-pentesting/ipsec-ike-vpn-pentesting.md index 0cbd3155c64..7379cad8220 100644 --- a/src/network-services-pentesting/ipsec-ike-vpn-pentesting.md +++ b/src/network-services-pentesting/ipsec-ike-vpn-pentesting.md @@ -328,6 +328,43 @@ Practical tips - Increase receive buffer and timeouts for UDP-based scanners to avoid packet loss. - If the service exposes custom Vendor IDs (see section above), use them to quickly fingerprint vulnerable versions before attempting any exploit traffic. +## IKEv2 fragmentation abuse: async shallow-copy double free (Windows IKEEXT case study) + +RFC 7383 fragmentation (`SKF`, payload type `0x35`) is a good place to look for **pre-auth memory corruption** in IKEv2 implementations. Reassembly code often builds a temporary packet context, copies state from the long-lived SA object, and reinjects the reassembled message into later parsing stages. If some fields are **deep-copied** while embedded pointers are only **shallow-copied**, packet-context cleanup can free memory still owned by the SA, and the same allocation can be freed again later during SA teardown. + +Real-world pattern seen in Windows IKEEXT: +- During `IKE_SA_INIT`, a Vendor ID handler allocates a blob tied to the SA. +- A fragmented `IKE_AUTH` is reassembled and queued for async processing. +- The queueing path deep-copies the reassembly buffer but leaves the SA-owned blob pointer aliased inside the queued packet context. +- Destroying the queued context frees the aliased pointer first. +- Negotiation cleanup later tears down the original SA and frees the same pointer again, yielding a **double free** reachable from the network. + +Practical auditing notes: +- Treat **fragment reassembly + reinjection + async work queues** as one attack surface, not separate features. +- Compare which fields are deep-copied versus shallow-copied when packet contexts are queued to worker threads. +- Check whether invalid reassembled messages still traverse cleanup paths. A malformed `IKE_AUTH` may still be enough if reassembly and queue teardown happen before semantic validation fails. +- For Windows targets, the reachable service is typically **IKEEXT** listening on **UDP/500** and **UDP/4500** (NAT-T), so successful exploitation targets a privileged network-facing service. + +### Detection notes for fragmentation-driven IKEv2 exploitation + +This pattern is **stateful**. A single packet is not enough; correlate packets within the same IKE session: + +1. Look for an `IKE_SA_INIT` request that contains a vendor-specific setup payload. In the Windows case study, the write-up keys on: + - UDP payload offset `17`: `20 22 08` (`IKEv2`, `IKE_SA_INIT`, initiator) + - Vendor ID bytes anywhere later in the packet: `68 6a 8c bd fe 63 4b 40 51 46 fb 2b af 33 e9 e8` +2. From the same source / IKE session, look for fragmented `IKE_AUTH` traffic: + - UDP payload offset `16`: `35 20 23 08` (`SKF`, `IKEv2`, `IKE_AUTH`, initiator) + - UDP payload offset `20`: `00 00 00 01` + +Parsing notes: +- Multi-byte fields are **big-endian**. +- On **UDP/4500**, the 4-byte non-ESP marker `00 00 00 00` shifts all IKE offsets by `+4`. +- Detection quality improves if you correlate on the IKE SPIs from the header instead of just source IP/port. + +Operational notes: +- If IKE is not needed, block **UDP/500** and **UDP/4500**. +- If IKE is required, restrict those ports to known peers while patches are being deployed. + ## Reference Material - [PSK cracking paper](http://www.ernw.de/download/pskattack.pdf) @@ -345,5 +382,8 @@ Practical tips - [YIKES: WatchGuard Fireware OS IKEv2 out-of-bounds write (CVE-2025-9242)](https://labs.watchtowr.com/yikes-watchguard-fireware-os-ikev2-out-of-bounds-write-cve-2025-9242/) - [0xdf – HTB: Expressway](https://0xdf.gitlab.io/2026/03/07/htb-expressway.html) +- [ZDI - CVE-2026-33824: Remote Code Execution in Windows IKEv2](https://www.thezdi.com/blog/2026/4/22/cve-2026-33824-remote-code-execution-in-windows-ikev2) +- [RFC 7383 - Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation](https://datatracker.ietf.org/doc/rfc7383/) +- [Microsoft Security Update Guide - CVE-2026-33824](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-33824) {{#include ../banners/hacktricks-training.md}}