Merge pull request #2164 from HackTricks-wiki/update_CVE-2026-33824__Remote_Code_Execution_in_Windows_I_20260423_190733

CVE-2026-33824 Remote Code Execution in Windows IKEv2

Author: carlospolop

src/network-services-pentesting/ipsec-ike-vpn-pentesting.md

@@ -328,6 +328,43 @@ Practical tips
 - Increase receive buffer and timeouts for UDP-based scanners to avoid packet loss.
 - If the service exposes custom Vendor IDs (see section above), use them to quickly fingerprint vulnerable versions before attempting any exploit traffic.
 
+## IKEv2 fragmentation abuse: async shallow-copy double free (Windows IKEEXT case study)
+
+RFC 7383 fragmentation (`SKF`, payload type `0x35`) is a good place to look for **pre-auth memory corruption** in IKEv2 implementations. Reassembly code often builds a temporary packet context, copies state from the long-lived SA object, and reinjects the reassembled message into later parsing stages. If some fields are **deep-copied** while embedded pointers are only **shallow-copied**, packet-context cleanup can free memory still owned by the SA, and the same allocation can be freed again later during SA teardown.
+
+Real-world pattern seen in Windows IKEEXT:
+- During `IKE_SA_INIT`, a Vendor ID handler allocates a blob tied to the SA.
+- A fragmented `IKE_AUTH` is reassembled and queued for async processing.
+- The queueing path deep-copies the reassembly buffer but leaves the SA-owned blob pointer aliased inside the queued packet context.
+- Destroying the queued context frees the aliased pointer first.
+- Negotiation cleanup later tears down the original SA and frees the same pointer again, yielding a **double free** reachable from the network.
+
+Practical auditing notes:
+- Treat **fragment reassembly + reinjection + async work queues** as one attack surface, not separate features.
+- Compare which fields are deep-copied versus shallow-copied when packet contexts are queued to worker threads.
+- Check whether invalid reassembled messages still traverse cleanup paths. A malformed `IKE_AUTH` may still be enough if reassembly and queue teardown happen before semantic validation fails.
+- For Windows targets, the reachable service is typically **IKEEXT** listening on **UDP/500** and **UDP/4500** (NAT-T), so successful exploitation targets a privileged network-facing service.
+
+### Detection notes for fragmentation-driven IKEv2 exploitation
+
+This pattern is **stateful**. A single packet is not enough; correlate packets within the same IKE session:
+
+1. Look for an `IKE_SA_INIT` request that contains a vendor-specific setup payload. In the Windows case study, the write-up keys on:
+   - UDP payload offset `17`: `20 22 08` (`IKEv2`, `IKE_SA_INIT`, initiator)
+   - Vendor ID bytes anywhere later in the packet: `68 6a 8c bd fe 63 4b 40 51 46 fb 2b af 33 e9 e8`
+2. From the same source / IKE session, look for fragmented `IKE_AUTH` traffic:
+   - UDP payload offset `16`: `35 20 23 08` (`SKF`, `IKEv2`, `IKE_AUTH`, initiator)
+   - UDP payload offset `20`: `00 00 00 01`
+
+Parsing notes:
+- Multi-byte fields are **big-endian**.
+- On **UDP/4500**, the 4-byte non-ESP marker `00 00 00 00` shifts all IKE offsets by `+4`.
+- Detection quality improves if you correlate on the IKE SPIs from the header instead of just source IP/port.
+
+Operational notes:
+- If IKE is not needed, block **UDP/500** and **UDP/4500**.
+- If IKE is required, restrict those ports to known peers while patches are being deployed.
+
 ## Reference Material
 
 - [PSK cracking paper](http://www.ernw.de/download/pskattack.pdf)
@@ -345,5 +382,8 @@ Practical tips
 
 - [YIKES: WatchGuard Fireware OS IKEv2 out-of-bounds write (CVE-2025-9242)](https://labs.watchtowr.com/yikes-watchguard-fireware-os-ikev2-out-of-bounds-write-cve-2025-9242/)
 - [0xdf – HTB: Expressway](https://0xdf.gitlab.io/2026/03/07/htb-expressway.html)
+- [ZDI - CVE-2026-33824: Remote Code Execution in Windows IKEv2](https://www.thezdi.com/blog/2026/4/22/cve-2026-33824-remote-code-execution-in-windows-ikev2)
+- [RFC 7383 - Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation](https://datatracker.ietf.org/doc/rfc7383/)
+- [Microsoft Security Update Guide - CVE-2026-33824](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-33824)
 
 {{#include ../banners/hacktricks-training.md}}