HTTP.sys Vulnerability CVE-2015-1635 MS15-034 Johannes B. Ullrich, Ph.D. [email protected] Outline • • • • • What is HTTP.sys? What does the “Range” header do? How is it exploited? How to test if.
Download ReportTranscript HTTP.sys Vulnerability CVE-2015-1635 MS15-034 Johannes B. Ullrich, Ph.D. [email protected] Outline • • • • • What is HTTP.sys? What does the “Range” header do? How is it exploited? How to test if.
HTTP.sys Vulnerability CVE-2015-1635 MS15-034 Johannes B. Ullrich, Ph.D. [email protected] 1 Outline • • • • • What is HTTP.sys? What does the “Range” header do? How is it exploited? How to test if you are vulnerable Examples of Current Exploits in the Wild 2 No Logo? No Catchy Name HTTP deRANGEd 3 HTTP.sys • Parses HTTP Requests • Caches response using kernel caching • If a “Range” header is used, extracts specific portion of page from Kernel Cache to pass to client • Used in IIS 6 and later. • NOT JUST USED BY IIS (part of Windows) 4 Range Header (RFC 7233) • Used for partial downloads • Often used to complete downloads • Mobile clients (podcast clients) download pages in “chunks”. GET / HTTP/1.1 Host: test Range: bytes=0-5,10-15 5 Range Header Response HTTP/1.1 206 Partial Content Content-Type: multipart/byteranges; boundary=513da661b3ac6e --513da661b3ac6e Content-type: text/html; charset=UTF-8 Content-range: bytes 0-5/15 <HTML> --513da661b3ac6e Content-type: text/html; charset=UTF-8 6 No Upper Limit “Since there is no predefined limit to the length of a payload, recipients must anticipate potentially large decimal numerals and prevent parsing errors due to integer conversion overflows.” (RFC 7233) 7 Exploit • IIS limits the range to a 64 Bit Unsigned number. • Maximum Number: 2^64-1 18446744073709551615 0xFFFFFFFFFFFFFF If lower end 0 -> No exploit 8 Exploit (2) • Lower end > Size of file: No exploit • Lower end > 0 and <=Size of file: Exploit!! Integer Overflow 9 Exploit Request GET / HTTP/1.1 Host: test Range: bytes=x18446744073709551615 X=0 no exploit X>0 and X<Filesize Exploit 10 Information Leak • If “lower end” = “file size - 1” • Not reproducable in my testing • Dumps kernel memory (same segment as “cache”?) • Maximum size depends on size of file 11 Tests • Send large HTTP Range request with lower end 0.. • Other Software using http.sys netsh http show servicestate • Check if patch is installed wmic qfe | find KB3042553 12 Other Protections • I(D|P)S: Does not work for SSL • Host based IPS e.g. Symantec has signatures that block exploit • WAF • Authentication: Disable Anonymous Access 13 Current Exploits • Many vulnerability scans (range starts at “0”) • Some random DoS exploit attempts • No Information Disclosure exploits in honeypot so far • Reports of more targeted exploit attempts. 14 Risk • Exposed Public Systems are at immediate risk of DoS • Memory Disclosure likely “stable” in a couple days • Remote Execution unlikely (in the near future) 15 What to do next? • Expedite Patching MS15-034 • Consider “virtual patching” via WAF until patch is applied and verified • Add IDS rules to detect exploit attempts • Please… share anything you see! • Is it as bad as Heartbleed? No… 16 Questions? [email protected] https://isc.sans.edu/presentations @johullrich Daily Podcast… 17