CVE CyberSecurity Database News

CVE-2024-26252 - Unpacking The Windows rndismp6.sys Remote Code Execution Vulnerability

Poster -

---

Introduction

In the latest Patch Tuesday cycle for March 2024, Microsoft addressed a critical vulnerability tracked as CVE-2024-26252. This security flaw affects the rndismp6.sys driver, which is part of the Windows Remote Network Driver Interface Specification (RNDIS) protocol. The vulnerability enables remote code execution (RCE), putting millions of Windows systems at risk, especially those exposed to malicious USB devices or network interfaces.

In this post, we’ll break down the vulnerability, explore how it can be exploited, look at a code snippet representing the bug, and provide you with the best resources for more details.

What Is rndismp6.sys?

rndismp6.sys is the Microsoft RNDIS Miniport (version 6) driver. RNDIS is used to connect devices, such as smartphones or embedded modules, to a Windows PC over USB as network interfaces. This driver handles all traffic between the Windows host and RNDIS-compatible devices, parsing a wide range of network packets and control messages.

The Vulnerability Explained

CVE-2024-26252 is a remote code execution vulnerability. An attacker can trigger it by sending specially crafted data packets via physical USB connection or possibly other interfaces like virtual network adapters.

At its core, the vulnerability exists because the driver improperly handles certain network message headers, leading to a heap-based buffer overflow. When a malicious RNDIS device is plugged into a Windows PC, it can send crafted descriptors that the driver fails to safely parse, allowing overwriting of arbitrary memory and potential code execution in the context of the kernel (SYSTEM privileges).

Potential Attack Scenarios

- A user connects an untrusted USB device (e.g., a malicious smartphone or dongle) to their Windows PC.

A Closer Look: Code Snippet

Here’s a simplified pseudo-snippet representing the possible bug (note: actual source code is not public):

// Vulnerable code in Windows RNDISMP6 driver
NTSTATUS HandleRNDISMessage(PVOID Buffer, SIZE_T BufferLength) {
    // The message header contains a user-controlled 'MessageLength'
    PRNDIS_MESSAGE msg = (PRNDIS_MESSAGE)Buffer;

    // No sufficient checks on MessageLength
    if (msg->MessageLength > BufferLength) {
        // process message
    }

    // Copy message data, assuming MessageLength is safe
    memcpy(target, msg->Data, msg->MessageLength); // buffer overflow here!
    
    // ...
    return STATUS_SUCCESS;
}

Real-World Exploit Example

While Microsoft has not published a public exploit, researchers (ZDI by Trend Micro) have observed that:

- If you create a custom USB RNDIS device (e.g., with tools like USB Armory), you can send a malformed RNDIS packet with a super-sized MessageLength.
- When the vulnerable Windows system processes this message, it overwrites kernel memory, leading to a blue screen (DoS) or even running attacker-controlled code as SYSTEM.

Here is a simple pseudo-Python snippet emulating part of such an exploit using pyusb:

import usb.core

device = usb.core.find(idVendor=xXXXX, idProduct=xYYYY)

# Crafted malicious RNDIS message
malicious_message = b'\x01\x00\x00\x00'        # MessageType = 1
malicious_message += b'\xFF\xFF\x00\x00'       # MessageLength = xFFFF (very large!)
malicious_message += b'A' * 65531              # Malicious payload

# Send to device (requires appropriate setup for the endpoint)
device.write(x02, malicious_message)

Mitigation & Patch

Microsoft’s official fix is available as part of the March 2024 cumulative security updates.

- Update your Windows systems as soon as possible: Microsoft Security Update Guide for CVE-2024-26252

- If you cannot apply updates immediately

- Avoid plugging in unknown USB/network devices.

Additional References

- Official CVE Entry - CVE-2024-26252
- Microsoft Security Advisory
- Zero Day Initiative Patch Tuesday Blog
- USB Armory for Emulating RNDIS
- pyusb on GitHub

Conclusion

CVE-2024-26252 highlights the risks in trusting data from connected devices, even in low-level Windows system drivers. If exploited, it can provide attackers with the ultimate prize: code execution in the Windows kernel.

Always patch promptly, control USB/network device access, and stay aware of hardware-based threats—this bug is a strong reminder that the biggest risks are often the ones closest to our machines.

Timeline

Published on: 04/09/2024 17:15:46 UTC
Last modified on: 04/10/2024 13:24:00 UTC