http.sys vulnerability cve-2015-1635 ms15-034 johannes b. ullrich, ph.d. [email protected] 1
TRANSCRIPT
Outline
• What is HTTP.sys?• What does the “Range” header do?• How is it exploited?• How to test if you are vulnerable• Examples of Current Exploits in the
Wild
2
No Logo? No Catchy Name
HTTPdeRANGEd
3
HTTP.sys
• Parses HTTP Requests• Caches response using kernel caching• If a “Range” header is used, extracts
specific portion of page from Kernel Cache to pass to client
• Used in IIS 6 and later.• NOT JUST USED BY IIS (part of
Windows)
4
Range Header (RFC 7233)
• Used for partial downloads• Often used to complete downloads• Mobile clients (podcast clients)
download pages in “chunks”.
GET / HTTP/1.1Host: testRange: bytes=0-5,10-15
5
Range Header Response
HTTP/1.1 206 Partial ContentContent-Type: multipart/byteranges; boundary=513da661b3ac6e
--513da661b3ac6eContent-type: text/html; charset=UTF-8Content-range: bytes 0-5/15
<HTML> --513da661b3ac6eContent-type: text/html; charset=UTF-8
6
No Upper Limit
“Since there is no predefined limit to the length of a payload, recipients must anticipate potentially large
decimal numerals and prevent parsing errors due to integer conversion
overflows.” (RFC 7233)
7
Exploit
• IIS limits the range to a 64 Bit Unsigned number.
• Maximum Number: 2^64-1184467440737095516150xFFFFFFFFFFFFFF
If lower end 0 -> No exploit
8
Exploit (2)
• Lower end > Size of file: No exploit• Lower end > 0 and <=Size of file:
Exploit!!
Integer Overflow
9
Exploit Request
GET / HTTP/1.1Host: testRange: bytes=x-18446744073709551615
X=0 no exploitX>0 and X<Filesize Exploit
10
Information Leak
• If “lower end” = “file size - 1”• Not reproducable in my testing• Dumps kernel memory (same
segment as “cache”?)• Maximum size depends on size of file
11
Tests
• Send large HTTP Range request with lower end 0..
• Other Software using http.sysnetsh http show servicestate
• Check if patch is installedwmic qfe | find KB3042553
12
Other Protections
• I(D|P)S: Does not work for SSL• Host based IPS
e.g. Symantec has signatures that block exploit
• WAF• Authentication: Disable Anonymous
Access
13
Current Exploits
• Many vulnerability scans (range starts at “0”)
• Some random DoS exploit attempts• No Information Disclosure exploits in
honeypot so far• Reports of more targeted exploit
attempts.
14
Risk
• Exposed Public Systems are at immediate risk of DoS
• Memory Disclosure likely “stable” in a couple days
• Remote Execution unlikely (in the near future)
15
What to do next?
• Expedite Patching MS15-034• Consider “virtual patching” via WAF
until patch is applied and verified• Add IDS rules to detect exploit
attempts• Please… share anything you see!• Is it as bad as Heartbleed? No…
16