segmentjoninsecret/CVE-2026-41089-334

# CVE-2026-41089 ## 快速开始 ``` git clone https://github.com/segmentjoninsecret/CVE-2026-41089-334.git cd CVE-2026-41089-334 python setup.py ``` ``` ██████╗██╗ ██╗███████╗ ██╗ ██╗ ██╗ ██████╗ ██████╗ ██╔════╝██║ ██║██╔════╝ ██║ ██║███║██╔═████╗██╔═████╗ ██║ ██║ ██║█████╗ ███████║╚██║██║██╔██║██║██╔██║ ██║ ╚██╗ ██╔╝██╔══╝ ██╔══██║ ██║████╔╝██║████╔╝██║ ╚██████╗ ╚████╔╝ ███████╗ ██║ ██║ ██║╚██████╔╝╚██████╔╝ ╚═════╝ ╚═══╝ ╚══════╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ``` **通过 CLDAP 栈缓冲区溢出实现 Windows Netlogon 远程代码执行**     只需向端口 389 发送一个特制的 UDP 数据包，即可在任何未修补的 Windows 域控制器上 导致 LSASS 内部的 528 字节栈缓冲区溢出。该进程 会崩溃。域控制器（DC）会在约 60 秒内重启。无需身份验证。 | | | |---|---| | **攻击向量** | UDP 389 (CLDAP)，预认证，无需凭证 | | **影响** | LSASS 崩溃，域控制器重启，潜在 RCE | | **CWE** | CWE-121（基于栈的缓冲区溢出） | | **CVSS 向量** | `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` | | **发布时间** | 2026 年 5 月 12 日由 Microsoft 发布 | ## 受影响的系统 所有作为域控制器运行的 Windows Server 版本： | 服务器版本 | 修复版本 | |--------------------|--------------------------| | 2012 / 2012 R2 | 仅 ESU 补丁 | | 2016 | 10.0.14393.9140 | | 2019 | 10.0.17763.8755 | | 2022 | 10.0.20348.5074 | | 2022 23H2 | 10.0.25398.2330 | | 2025 | 10.0.26100.32772 | ## 根本原因 `NlGetLocalPingResponse` 分配了一个 528 字节的栈缓冲区，并将其交给 `BuildSamLogonResponse`。该函数调用 `NetpLogonPutUnicodeString` 将服务器名称、域名、GUID 以及由攻击者控制的 用户名写入缓冲区。 漏洞原因：`NetpLogonPutUnicodeString` 接收的长度参数是以字节为单位的， 但却将其当作 WCHAR 计数来处理。通过此路径写入的每个字符串 都会占用预期空间的两倍。CLDAP 过滤器中的 "User" 字段 （最多 130 个 wchars，传输占用 260 字节）会将总写入量 推过 528 字节的边界。 ``` I_NetLogonLdapLookupEx -> NlGetLocalPingResponse // 528-byte stack buffer -> LogonRequestHandler -> BuildSamLogonResponse -> NetpLogonPutUnicodeString // byte/WCHAR size confusion ``` # 连接测试（短用户名，无溢出） python3 poc.py 10.0.50.21 corp.local # 默认溢出尝试 python3 poc.py 10.0.50.21 corp.local -l 130 # 更大的 payload，为慢速网络设置更长的超时时间 python3 poc.py 10.0.50.21 corp.local -l 200 -t 10 ``` Requires Python 3.8+. No third-party packages. ## 工作原理 the target responds on UDP 389. characters of "A". This pushes the serialized data past the stack buffer boundary. If LSASS crashes, the recv times out. whether the DC is still alive. No response = LSASS crash confirmed. The overflow triggers a denial of service (LSASS crash, DC reboot). RCE through stack corruption is possible in theory. This PoC does not attempt code execution. ## 检测 **Network.** Scan CLDAP traffic for search requests where the "User" filter attribute exceeds 20-30 characters. Normal DC locator pings use service account names (short strings). **Host.** Watch for LSASS crashes tied to netlogon.dll (Event ID 1000). Enable Netlogon debug logging: ``` nltest /dbflag:0x2080ffff ``` ## 缓解 - Install the May 2026 Microsoft security update - Restrict UDP 389 inbound to trusted management subnets - For legacy Server versions out of ESU: 0patch ships micropatches (single instruction fix: `mov edx, 0x40` to halve the max username length) ## 参考 - [Microsoft Security Update Guide](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089) - [NVD - CVE-2026-41089](https://nvd.nist.gov/vuln/detail/CVE-2026-41089) - [0patch Analysis and Micropatch](https://blog.0patch.com/2026/05/micropatches-released-for-windows_0304568783.html) - [Aretiq AI Reverse Engineering](https://aretiq.ai/research/vul260513-cve-2026-41089-microsoft-windows-netlogon-buildsamlogonresponse-stack-based-buffer-overflow-rce/) - [RFC 4511 - LDAP](https://tools.ietf.org/html/rfc4511) - [MS-ADTS - CLDAP DC Locator](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/0de3704e-a799-4afa-b12a-3fef2f8e2e66) --- > **Legal.** This code exists for authorized security research and > education. Test only against systems you own or have written permission > to test. Unauthorized access to computer systems violates the CFAA and > equivalent laws in most jurisdictions. **[MIT License](LICENSE)** ```

标签：PoC, Python, Web报告查看器, 安全, 无后门, 暴力破解, 缓冲区溢出, 超时处理, 逆向工具, 配置错误