This vulnerability affects Windows 7 and was published seven years ago. We decided to check if this is still a zero day and can still be exploited as Microsoft never acknowledged it.
The following video demonstrates this attack on a fully patched Windows 7 SP1 system:
As you can see, we setup a fully patched Windows 7 SP1 system and a DHCPv6 server that allows you to configure several DHCPv6 options. This DHCPv6 server sends a malformed DHCPv6 option type 24, Domain Search List. The DHCPv6 client on Windows 7 fails to process this malformed Domain Search List that crashes RPC Server.
During our tests, we found Windows 8.1 and Windows 10 not vulnerable to this attack, however other older versions of Windows may also be vulnerable.
QualysGuard has been detecting this vulnerability with QID#119518. We contacted Microsoft Security Response Center (MSRC) and provided them this PoC too as Windows 7 SP1 is not EOL yet. However, they did not consider this for down level servicing.
This does not reproduce on newer products and we constantly advocate customers to upgrade to new operating systems this won’t meet the bar for releasing a down level security update. We arrived at this decision as it is a user mode service DOS. The machine itself will remain running. Additionally, the service is set to automatically restart. While an attacker could constantly issue the DOS, this would be noisy and only last as long as the attacker had access to the victim VLAN.