Beware of Fake PoC Exploits for 0-Click RCE CVE-2024-38063 on GitHub

by do son ·

Security researchers have discovered a series of fake proof-of-concept (PoC) exploit codes for the critical CVE-2024-38063 vulnerability affecting Windows systems. These fraudulent exploits, which have appeared on GitHub, are not just misleading but are being used as a vehicle for distributing malware.

CVE-2024-38063 is a critical severity vulnerability (CVSS 9.8) identified in Windows 10, Windows 11, and Windows Server systems. Discovered by XiaoWei from Kunlun Lab, the flaw stems from an Integer Underflow weakness, which attackers can exploit to trigger buffer overflows. This could allow them to execute arbitrary code on vulnerable systems.

As outlined by Microsoft in their advisory, the vulnerability can be exploited remotely by unauthenticated attackers. The exploit involves sending specially crafted IPv6 packets in low-complexity attacks. Microsoft’s “exploitation more likely” tag on this vulnerability indicates a high probability that threat actors could develop reliable exploit code to consistently leverage this flaw in attacks.

Unfortunately, the critical nature of CVE-2024-38063 has attracted malicious actors who are taking advantage of the cybersecurity community’s interest in the flaw. On platforms like GitHub, several PoC exploit codes claiming to target this vulnerability have been uploaded. However, Arda Büyükkaya, a cyber threat intelligence analyst at EclecticIQ has confirmed that these codes are fraudulent, designed not to demonstrate the vulnerability but to spread malware.

 

A prime example of this tactic involves the use of Snipaste, a screenshot application developed in China, to create and distribute a fake PoC. This malicious sample, with a detection rate of 23/75 on VirusTotal, appears to be part of a campaign with likely origins in China. The threat actors are using tools and techniques commonly associated with that region, including leveraging the cip[.]cc service—licensed by China’s Ministry of Industry and Information Technology—to collect victims’ IP addresses and locations.

While the cybersecurity community scrambles to understand and mitigate CVE-2024-38063, researchers are also focused on unraveling the true nature of these fake PoCs. Robel Campbell, a principal security researcher at Blackpoint Cyber, has shared insights into the vulnerability’s exploitation potential. According to Campbell, the underflow in IPv6 packet handling could lead to a crash due to out-of-bounds data writing. This crash, while concerning, might be further weaponized through advanced techniques such as heap massaging.

On the other hand, Marcus Hutchins, a renowned cybersecurity specialist, has voiced skepticism about the practical exploitability of CVE-2024-38063 in real-world scenarios. Hutchins notes that the vulnerability appears to be dependent on the use of IPv6 Jumbograms—packets larger than 65535 bytes. Given the rarity of systems with Jumbograms enabled, Hutchins questions the likelihood of widespread exploitation.

To protect against potential exploitation of CVE-2024-38063, and to avoid falling victim to fake PoC exploits, users are advised to take immediate action:

  1. Apply the Latest Patches: Microsoft’s August 2024 Patch Tuesday includes a fix for CVE-2024-38063. Users should ensure their systems are up to date to mitigate this critical vulnerability.
  2. Disable IPv6: For those who cannot immediately apply the patches, disabling IPv6 can remove the attack surface, preventing potential exploitation.
  3. Exercise Caution on GitHub: Be wary of PoC exploit codes uploaded by unverified sources. Always verify the legitimacy of the code before executing it, especially when dealing with vulnerabilities that have attracted significant attention.

Related Posts:

Tags: CVE-2024-38063CVE-2024-38063 PoCgithubwindows