CVE-2010-0239
published 2010-02-10CVE-2010-0239: The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2, when IPv6 is enabled, does not properly perform bounds…
PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
61.27%
99.0th percentile
The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2, when IPv6 is enabled, does not properly perform bounds checking on ICMPv6 Router Advertisement packets, which allows remote attackers to execute arbitrary code via crafted packets, aka "ICMPv6 Router Advertisement Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
commandpkt = IPv6(dst=v6_dst, hlim=255) / IPv6ExtHdrFragment() / ICMPv6ND_RA() / ICMPv6NDOptPrefixInfo(len=255, prefixlen=64, prefix="2001::") / Raw(load='A'*2008)↗
- →Detect oversized/malformed ICMPv6 Router Advertisement packets with ICMPv6NDOptPrefixInfo option length field set to 255 (anomalous), which is the exploit trigger for the bounds-check bypass. ↗
- →Detect fragmented ICMPv6 Router Advertisement packets (IPv6 Fragment Extension Header present on an RA message) — the exploit deliberately fragments the malicious RA across 1500-byte fragments. ↗
- →Detect ICMPv6 Router Advertisement packets carrying an anomalously large payload (~2008 bytes of padding), far exceeding normal RA option sizes, indicative of a heap/stack overflow attempt. ↗
- →Scope detection to Windows Vista Gold/SP1/SP2 and Server 2008 Gold/SP2 hosts with IPv6 enabled — the vulnerability only exists when IPv6 is active on the interface. ↗
- →Successful exploitation grants SYSTEM-level privileges; monitor for unexpected SYSTEM-context process spawning following receipt of anomalous ICMPv6 RA traffic. ↗
- ·The vulnerability is only exploitable when IPv6 is enabled on the target host. Disabling IPv6 eliminates the attack surface entirely. ↗
- ·Failed exploit attempts manifest as denial-of-service (system crash/BSOD) rather than code execution, so DoS-only outcomes should still be treated as active exploitation attempts. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.us-cert.gov/cas/techalerts/TA10-040A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-009https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8478http://www.us-cert.gov/cas/techalerts/TA10-040A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-009https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8478
2010-02-10
Published