Critical Zero-Click Zero-Day Vulnerability in Windows RPC (CVE-2022-26809)

Written by Aarush Ahuja
Co-founder @ FourCore

Remote Code Execution on Windows

Microsoft Patch Tuesday for April patched three critical vulnerabilities in the Windows RPC runtime. One of the vulnerabilities, CVE-2022-26809, is a very high impact vulnerability impacting more than 700,000 Windows machines exposed to the internet. Here we cover what the vulnerabilty is, if you are vulnerable to it and how you can mitigate the vulnerability.

Are you vulnerable?

All Windows machines with Port 445 exposed and having an unpatched RPC runtime library are potentially vulnerable to an unauthenticated RCE. The attacker can

As of 18th April 2022, Shodan reports that more than 700,000 potentially vulnerable Windows machines expose this port across the internet.

How firedrill works

What is CVE-2022-26809?

Akamai's Ophir Harpaz and Ben Barnea have published an amazing analysis of the vulnerability here. The vulnerabilities are present in the library named rpcrt4.dll which is loaded into both client and server processes using the MS-RPC protocol. On diffing the unpatched library from March 2022 with the patched April 2022 library, the functions OSF_CCALL::ProcessResponse and OSF_CCALL::ProcessResponsePDU are two similar and interesting functions both processing RPC packets. One runs on the client slide (CCALL) and the other server side (SCALL). In the latest version of the library, the server-side function OSF_CCALL::ProcessResponsePDU includes added code blocks fixing an integer overflow which could lead to a heap buffer overflow.

How firedrill works

These routines are present on both the server side and client side, the integer overflows are present on both the client side and server side. The overflow was mitigated by adding overflow checks to the following functions:

  • OSF_CCALL::ProcessResponse
  • OSF_SCALL::GetCoalescedBuffer
  • OSF_CCALL::GetCoalescedBuffer

How to mitigate CVE-2022-26809?

Based on Microsoft's official advisories:

  • Block access to TCP port 445 from outside the enterprise perimeter.
  • Limit incoming connections to TCP port 445 only on machines where it is desired (such as Domain Controllers, File and Print Servers etc.).
  • Apply the latest security updates that mitigate these vulnerabilites.

High Impact via Zero-Click Remote Code Execution

The integer overflow and the subsequent heap overflow enabled by this vulnerability can lead a a zero-click unauntheticated RCE exploit allowing to run code in the context of the RPC process. This is the reason the CVE is given the CVSS score of 9.8. A GitHub repository, which has since been deleted, containg a GIF of the PoC highlights the trivial exploitatibility of this vulnerability.

How firedrill works