Skip to content

CVE-2026-33824 Remote Code Execution in Windows IKEv2 #2164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

CVE-2026-33824 Remote Code Execution in Windows IKEv2 #2164

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions src/network-services-pentesting/ipsec-ike-vpn-pentesting.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -328,6 +328,43 @@ Practical tips
- Increase receive buffer and timeouts for UDP-based scanners to avoid packet loss.
- If the service exposes custom Vendor IDs (see section above), use them to quickly fingerprint vulnerable versions before attempting any exploit traffic.

## IKEv2 fragmentation abuse: async shallow-copy double free (Windows IKEEXT case study)

RFC 7383 fragmentation (`SKF`, payload type `0x35`) is a good place to look for **pre-auth memory corruption** in IKEv2 implementations. Reassembly code often builds a temporary packet context, copies state from the long-lived SA object, and reinjects the reassembled message into later parsing stages. If some fields are **deep-copied** while embedded pointers are only **shallow-copied**, packet-context cleanup can free memory still owned by the SA, and the same allocation can be freed again later during SA teardown.

Real-world pattern seen in Windows IKEEXT:
- During `IKE_SA_INIT`, a Vendor ID handler allocates a blob tied to the SA.
- A fragmented `IKE_AUTH` is reassembled and queued for async processing.
- The queueing path deep-copies the reassembly buffer but leaves the SA-owned blob pointer aliased inside the queued packet context.
- Destroying the queued context frees the aliased pointer first.
- Negotiation cleanup later tears down the original SA and frees the same pointer again, yielding a **double free** reachable from the network.

Practical auditing notes:
- Treat **fragment reassembly + reinjection + async work queues** as one attack surface, not separate features.
- Compare which fields are deep-copied versus shallow-copied when packet contexts are queued to worker threads.
- Check whether invalid reassembled messages still traverse cleanup paths. A malformed `IKE_AUTH` may still be enough if reassembly and queue teardown happen before semantic validation fails.
- For Windows targets, the reachable service is typically **IKEEXT** listening on **UDP/500** and **UDP/4500** (NAT-T), so successful exploitation targets a privileged network-facing service.

### Detection notes for fragmentation-driven IKEv2 exploitation

This pattern is **stateful**. A single packet is not enough; correlate packets within the same IKE session:

1. Look for an `IKE_SA_INIT` request that contains a vendor-specific setup payload. In the Windows case study, the write-up keys on:
- UDP payload offset `17`: `20 22 08` (`IKEv2`, `IKE_SA_INIT`, initiator)
- Vendor ID bytes anywhere later in the packet: `68 6a 8c bd fe 63 4b 40 51 46 fb 2b af 33 e9 e8`
2. From the same source / IKE session, look for fragmented `IKE_AUTH` traffic:
- UDP payload offset `16`: `35 20 23 08` (`SKF`, `IKEv2`, `IKE_AUTH`, initiator)
- UDP payload offset `20`: `00 00 00 01`

Parsing notes:
- Multi-byte fields are **big-endian**.
- On **UDP/4500**, the 4-byte non-ESP marker `00 00 00 00` shifts all IKE offsets by `+4`.
- Detection quality improves if you correlate on the IKE SPIs from the header instead of just source IP/port.

Operational notes:
- If IKE is not needed, block **UDP/500** and **UDP/4500**.
- If IKE is required, restrict those ports to known peers while patches are being deployed.

## Reference Material

- [PSK cracking paper](http://www.ernw.de/download/pskattack.pdf)
Expand All @@ -345,5 +382,8 @@ Practical tips

- [YIKES: WatchGuard Fireware OS IKEv2 out-of-bounds write (CVE-2025-9242)](https://labs.watchtowr.com/yikes-watchguard-fireware-os-ikev2-out-of-bounds-write-cve-2025-9242/)
- [0xdf – HTB: Expressway](https://0xdf.gitlab.io/2026/03/07/htb-expressway.html)
- [ZDI - CVE-2026-33824: Remote Code Execution in Windows IKEv2](https://www.thezdi.com/blog/2026/4/22/cve-2026-33824-remote-code-execution-in-windows-ikev2)
- [RFC 7383 - Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation](https://datatracker.ietf.org/doc/rfc7383/)
- [Microsoft Security Update Guide - CVE-2026-33824](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-33824)

{{#include ../banners/hacktricks-training.md}}