http.sys vulnerability cve-2015-1635 ms15-034 johannes b. ullrich, ph.d. jullrich@sans.edu 1

HTTP.sys VulnerabilityCVE-2015-1635 MS15-034

Johannes B. Ullrich, Ph.D.jullrich@sans.edu

1

Outline

• What is HTTP.sys?• What does the “Range” header do?• How is it exploited?• How to test if you are vulnerable• Examples of Current Exploits in the

Wild

2

No Logo? No Catchy Name

HTTPdeRANGEd

3

HTTP.sys

• Parses HTTP Requests• Caches response using kernel caching• If a “Range” header is used, extracts

specific portion of page from Kernel Cache to pass to client

• Used in IIS 6 and later.• NOT JUST USED BY IIS (part of

Windows)

4

Range Header (RFC 7233)

• Used for partial downloads• Often used to complete downloads• Mobile clients (podcast clients)

download pages in “chunks”.

GET / HTTP/1.1Host: testRange: bytes=0-5,10-15

5

Range Header Response

HTTP/1.1 206 Partial ContentContent-Type: multipart/byteranges; boundary=513da661b3ac6e

--513da661b3ac6eContent-type: text/html; charset=UTF-8Content-range: bytes 0-5/15

<HTML> --513da661b3ac6eContent-type: text/html; charset=UTF-8

6

No Upper Limit

“Since there is no predefined limit to the length of a payload, recipients must anticipate potentially large

decimal numerals and prevent parsing errors due to integer conversion

overflows.” (RFC 7233)

7

Exploit

• IIS limits the range to a 64 Bit Unsigned number.

• Maximum Number: 2^64-1184467440737095516150xFFFFFFFFFFFFFF

If lower end 0 -> No exploit

8

Exploit (2)

• Lower end > Size of file: No exploit• Lower end > 0 and <=Size of file:

Exploit!!

Integer Overflow

9

Exploit Request

GET / HTTP/1.1Host: testRange: bytes=x-18446744073709551615

X=0 no exploitX>0 and X<Filesize Exploit

10

Information Leak

• If “lower end” = “file size - 1”• Not reproducable in my testing• Dumps kernel memory (same

segment as “cache”?)• Maximum size depends on size of file

11

Tests

• Send large HTTP Range request with lower end 0..

• Other Software using http.sysnetsh http show servicestate

• Check if patch is installedwmic qfe | find KB3042553

12

Other Protections

• I(D|P)S: Does not work for SSL• Host based IPS

e.g. Symantec has signatures that block exploit

• WAF• Authentication: Disable Anonymous

Access

13

Current Exploits

• Many vulnerability scans (range starts at “0”)

• Some random DoS exploit attempts• No Information Disclosure exploits in

honeypot so far• Reports of more targeted exploit

attempts.

14

Risk

• Exposed Public Systems are at immediate risk of DoS

• Memory Disclosure likely “stable” in a couple days

• Remote Execution unlikely (in the near future)

15

What to do next?

• Expedite Patching MS15-034• Consider “virtual patching” via WAF

until patch is applied and verified• Add IDS rules to detect exploit

attempts• Please… share anything you see!• Is it as bad as Heartbleed? No…

16

Questions?

jullrich@sans.eduhttps://isc.sans.edu/presentations

@johullrichDaily Podcast…

17