CVE-2023-38148 — Windows ICS (ipnathlp.dll) DHCP Hardware-Address Stack Buffer Overflow

Last updated: 2026-07-02
Severity: Critical — RCE in the Internet Connection Sharing service
Component: ipnathlp.dll — Windows Internet Connection Sharing (ICS) DHCP handling
Bug Class: Stack buffer overflow via unvalidated DHCP Hardware-Address-Length field
Attack vector: crafted DHCP packet to UDP/67 on a host with ICS enabled
Patch: September 2023 Patch Tuesday — bounds check aborts processing when length > 0x20
Related: Buffer Overflow, CVE-2023-36728 (SQL Server OOB read)

Vulnerability Summary

A stack buffer overflow in Windows Internet Connection Sharing (ipnathlp.dll). When ICS processes a DHCP message it copies the client hardware address into a fixed-size stack structure using the attacker-supplied Hardware Address Length field, with no bounds check. A length larger than the destination structure (0xA8 bytes) overflows the stack when the DHCP service parses the malicious packet.


Affected Code Path

DHCP message on UDP/67 (ICS enabled)
  → V2DhcpProcessMessage() / DhcpProcessBootpMessage()
    → DhcpAddArpEntry()
        v4 = hardware-address length            // from packet, field at a2+0x230, attacker-controlled
        memcpy_0(Row.PhysicalAddress, Src, v4); // Row is 0xA8 bytes on the stack → overflow
        v10 = CreateIpNetEntry2(&Row);

Key functions: DhcpAddArpEntry (primary), V2DhcpProcessMessage, DhcpProcessBootpMessage in ipnathlp.dll.


Root Cause Analysis

The Hardware-Address-Length field from the DHCP/BOOTP message drives a memcpy_0() into the stack Row structure (a MIB_IPNET_ROW2-like record, 0xA8 bytes). The pre-patch code failed to enforce a ceiling: when the length exceeded 0x20 it did not stop but kept processing, so an oversized value copies attacker-controlled bytes past the end of Row, corrupting the stack frame. Normal Ethernet hardware addresses are 6 bytes, so any value beyond the small expected range is malicious.


Exploitation Notes

The PoC sends a crafted DHCP packet to port 67 (the DHCP server side that ICS runs) containing an oversized Hardware-Address-Length field, corrupting the stack when the ICS service processes it. ICS is not on by default, but it is widely enabled for connection sharing / mobile-hotspot scenarios, and the service runs with high privilege.


Patch Analysis

The patch enforces an explicit bound: once the hardware-address length exceeds 0x20 it ends the subsequent processing rather than continuing into the copy, eliminating the overflow path.

Note: the ICS CVE-2023-38148 here is distinct from CVE-2024-38148 (schannel UAF); the colliding -38148 suffix in different years is a coincidence.


References