- Windows 7
- Windows Server 2008 R2
- Windows 8/8.1
- Windows Server 2012/2012 R2
- Kernel-mode caching. Requests for cached responses are served without switching to user mode.
- Kernel-mode request queuing. Requests cause less overhead in context switching, because the kernel forwards requests directly to the correct worker process. If no worker process is available to accept a request, the kernel-mode request queue holds the request until a worker process picks it up.
- Request pre-processing and security filtering.
Figure 1. HTTP request that will trigger vulnerabilityExploit and Attack Scenario This vulnerability is exploited using the Range HTTP header. This HTTP header allows clients to request specific contents from server at their demand. For example, a client that only needs few bytes of a file, can opt only to request specific parts, instead of the entire file. RFC 2616 (which defines HTTP) explains the definition of Range headers. There is a corresponding header (Accept-Ranges), which is used by servers to notify clients that they are supporting the Range header. Typically, the Range header contains values like this:
It could also have values like this:
If the upper bound in the Range header isn't present, it is considered that client is requesting the complete data. This is as good as not using the Range header at all. What if instead, a very high upper bound is specified by the attacker? All an attacker would have to do is send a specially crafted HTTP request with a special Range value, which would cause an overflow of the Range variable on the server. This is already being done by publicly available exploit code:
Figure 2. HTTP request that will trigger vulnerabilityThe cURL command can also be used as below to send the same exploit:
The upper bound of the Range header is 0xFFFFFFFFFFFFFFFF, which is the largest 64-bit unsigned integer. The large value specified above will cause an integer overflow. A vulnerable server for such request reply with HTTP status line as "Requested Range Not Satisfiable".
$ curl -v example.com -H "Host: example.com" -H "Range: bytes=0-18446744073709551615"
Figure 3. Reply to exploit code by unpatched serverThis means that that the client asked for a part of the file that lies beyond the end of the file on the server. A successful attack could cause BSOD, leading to a denial of service. Microsoft has said that this vulnerability could lead to remote code execution, although no exploit that is capable of this is publicly known. After the fix, the HTTP headers are now checked for errors. A different error is returned if the same attack as before is sent:
Figure 4. Reply to exploit code by unpatched serverA response that includes the string “The request has an invalid header name” indicates that server is patched and attack it will fail. Proof-of-concept code is already using this information, as seen below:
Figure 5. Proof of concept source codeConclusion This is a very easy vulnerability to exploit. A remote unauthenticated attacker could easily perform remote denial of service attacks on web servers running a vulnerable version of IIS. While remote code execution exploits are not known, there is a possibility of such exploit appearing in future. Administrators are advised to apply the patch; if that cannot be done immediately disable IIS kernel caching is a possible workaround. We have released the following Deep Security rule to protect Trend Micro customers:
- 1006620 - Microsoft Windows HTTP.sys Remote Code Execution Vulnerability (CVE-2015-1635)