Critical Vulnerability in Windows http.sys allows attackers to perform Remote Code Execution
Following the “Patch Tuesday–Cyber Wednesday” tradition, a new security patch from Microsoft (released two days ago -14.04.15) exposed a critical vulnerability in most Windows versions (including Win7, Win 8, Win server 2008, Win server 2012 and more).
While full details are yet unavailable, it was revealed that attackers can execute arbitrary code – through unspecified http requests – on web servers (mainly IIS) that run on a Windows machine (and were not yet patched).
The issue has received the CVE code 2015-1635. From the moment of publication, a race began between hackers trying to reverse engineer the patch and create a working exploit, and organizations who must update millions of vulnerable servers.
As of now, a partial exploit achieving a “blue-screen” denial of service has already being publicly discussed, and it is assumed that more sophisticated exploits allowing complete server takeover are already available in the wild.
The vulnerability exists in Windows HTTP protocol stack (http.sys). It can be triggered by abusing the HTTP “range” header in a simple HTTP request (in the HTTP protocol, a client can add a “range” element to his HTTP request, specifying the range of bytes he would like to receive in the requested resource).
As already published in hacking forums, adding a specific “range” value to an HTTP request (specifically – the value “Range: bytes=18-18446744073709551615″) will cause an un-patched IIS server to crash. It is assumed that other payloads can allow the attacker to execute arbitrary code on the target machine. A proof of concept (POC) video of the attack is available later in this post.
Although at the moment it appears as the vulnerability is mostly exploitable through IIS (And specifically, the IIS kernel-caching system), it is safe to assume other application that utilize windows’s http.sys component are also vulnerable to the attack.
1) Install the relevant patch on all windows machines as soon as possible, where the first priority should bt the IIS servers. patches available here:
2) Another less recommended course of action is to disable IIS kernerl caching, which – as far as known at the time of writing – mitigates current payloads of the attack. Instructions here:
Microsoft’s official announcement
1) List of vulnerable machines
2) Patch for all versions
3) Partial details about the issue
Proof of Concept Video: