Skip to content

CVE-2024-38063

TCP/IP stack — integer underflow in IPv6 packet reassembly allows RCE

Summary

Field Value
Driver tcpip.sys
Vulnerability Class Integer Overflow
Vulnerable Build 10.0.22621.3958 (KB5040527)
Fixed Build 10.0.22621.4036 (KB5041585)
Exploited ITW No

Affected Functions

  • Ipv6pReassembleDatagram
  • Ipv6pReceiveFragment
  • IppReassembleDatagram

Root Cause

The tcpip.sys driver handles all TCP/IP network traffic processing in the Windows kernel, including IPv6 packet reassembly. When the kernel receives fragmented IPv6 packets, the functions Ipv6pReceiveFragment and Ipv6pReassembleDatagram are responsible for collecting fragments, tracking their offsets and lengths, and reassembling them into a complete datagram. Buffer sizes for reassembly are calculated based on fragment offset and length fields carried in each incoming packet's IPv6 Fragment Extension Header.

The vulnerability is an integer underflow in the arithmetic used during this reassembly process. When a specially crafted sequence of IPv6 fragments is sent to the target, a subtraction operation on unsigned integer values wraps around, producing an extremely large or unexpectedly small result. This incorrect size is then used to allocate a kernel pool buffer for the reassembled datagram. Because the allocation size does not match the actual volume of fragment data being copied, a heap buffer overflow occurs: the kernel copies fragment payload into a buffer that is too small, corrupting adjacent objects in the kernel pool.

The attack surface is particularly dangerous because it is remotely triggerable with no authentication or user interaction required. An attacker only needs network connectivity to send crafted IPv6 packets to the target system. The affected code path is reached during normal packet processing, meaning any Windows machine with IPv6 enabled (the default configuration) is vulnerable.

AutoPiff categorizes this as int_overflow with detection rules:

  • added_overflow_check_on_arithmetic
  • added_underflow_guard

Exploitation

The heap overflow during IPv6 reassembly provides a remote kernel pool corruption primitive. Exploitation requires sending a carefully ordered sequence of IPv6 fragments that triggers the integer underflow within Ipv6pReassembleDatagram. By controlling the fragment offsets and lengths, an attacker influences the resulting allocation size and can target specific kernel pool buckets, positioning the undersized buffer adjacent to strategically chosen pool objects.

Corrupting adjacent pool allocations allows the attacker to overwrite kernel pool metadata or the contents of neighboring objects, which can be leveraged to achieve arbitrary read/write primitives and ultimately code execution in kernel context. This is a pre-authentication remote code execution vulnerability -- it can be triggered purely through network packets without any user interaction, making it one of the highest severity classes of Windows vulnerabilities.

Microsoft rated this vulnerability as "Exploitation More Likely" in their advisory, reflecting the straightforward trigger mechanism. However, reliable exploitation from a remote position requires heap layout control (grooming the kernel pool to place target objects adjacent to the vulnerable allocation), which adds complexity compared to local exploitation scenarios. The MalwareTech analysis details the fragment sequences needed to reach the vulnerable code path and the pool grooming strategies for reliable corruption.

Patch Analysis

The patch shipped in KB5041585 (build 10.0.22621.4036) added explicit overflow and underflow checks on the arithmetic used in fragment offset and length calculations during IPv6 reassembly. Specifically, the fix validates that subtraction results do not wrap around to unexpected values and that the calculated buffer sizes are consistent with the actual fragment data being reassembled. These checks cause the driver to discard malformed fragment sequences that would previously have triggered the underflow.

AutoPiff detects this patch pattern via the added_overflow_check_on_arithmetic and added_underflow_guard rules, which identify newly introduced conditional branches that guard arithmetic operations against wraparound in the patched binary compared to the vulnerable build.

Detection

YARA Rule

rule CVE_2024_38063_TCPIP {
    meta:
        description = "Detects vulnerable version of tcpip.sys (pre-patch)"
        cve = "CVE-2024-38063"
        author = "KernelSight"
        severity = "high"
    strings:
        $mz = { 4D 5A }
        $driver_name = "tcpip.sys" wide ascii nocase
        $vuln_build = "10.0.22621.3958" wide ascii
        $func_reassemble = "Ipv6pReassembleDatagram" ascii
        $func_fragment = "Ipv6pReceiveFragment" ascii
        $func_generic = "IppReassembleDatagram" ascii
    condition:
        $mz at 0 and $driver_name and $vuln_build and 2 of ($func_*)
}

ETW Indicators

Provider Event / Signal Relevance
Microsoft-Windows-TCPIP IPv6 fragment reassembly events and packet discard events Directly monitors the code path in Ipv6pReassembleDatagram where the integer underflow occurs during fragment processing
Microsoft-Windows-WFP Packet inspection and drop events at the network layer Detects malformed IPv6 fragment sequences that would be blocked post-patch but pass through on vulnerable systems
Microsoft-Windows-Kernel-Network Network buffer allocation and pool events Monitors kernel pool allocations for IPv6 reassembly buffers with anomalous sizes resulting from integer underflow
Microsoft-Windows-Security-Auditing Event 5152 (WFP Packet Drop) and Event 5157 (Connection Block) Logs network-level blocking events when firewall rules reject malicious IPv6 fragment patterns

Behavioral Indicators

  • Burst of fragmented IPv6 packets arriving from a single source with crafted Fragment Extension Headers containing offset and length values designed to trigger unsigned integer underflow in the reassembly calculation
  • Kernel pool corruption in the NonPagedPoolNx following IPv6 fragment reassembly, detectable through pool integrity verification or subsequent bugcheck BAD_POOL_HEADER / POOL_CORRUPTION_IN_FILE_AREA
  • Network traffic containing IPv6 fragments with inconsistent total datagram sizes — individual fragment offset+length combinations that exceed or underflow the reassembled datagram boundary
  • Remote code execution artifacts: kernel-mode shellcode execution originating from corrupted pool objects adjacent to the undersized reassembly buffer, potentially spawning SYSTEM processes from the network stack context
  • High volume of IPv6 fragment packets on a system that does not normally receive fragmented IPv6 traffic, especially from external network segments

References