Analysis of MS15-034 by our Active Watch Premier Team

Summary:

On April 14th, 2015, MS15-034 was released by Microsoft, which states that a remote code execution vulnerability has been found in HTTP.sys. The vulnerability in HTTP.sys can be exploited by sending a specially crafted, but simple, HTTP request to a Windows HTTP server. Results of the exploit can be a system crash (resulting in Denial of Service) or even remote code execution. 

Detail:
HTTP.sys is the HTTP protocol stack in Microsoft Windows, introduced with IIS 6. Sending a specially crafted HTTP request to a vulnerable system can cause the system to crash. Microsoft has stated that remote code execution is possible, but no proofs of concept have been publicly released. 

The vulnerable resource stores data from the ‘Range’ HTTP header as an integer with the maximum 64-bit value of 18446744073709551615 (0xFFFFFFFFFFFFFFFF). Sending an HTTP request, where the total value of the ‘Range’ header field is this maximum value, will result in an error message: “Requested Header Range Not Satisfiable”. Sending a request where the ‘Range’ field value approaches the maximum value results in a memory overflow, which will cause the system to crash or allow arbitrary code execution at the kernel level. 

Threat description:
The attack is very basic. An attacker needs only to run the “wget” or “curl” terminal command against a static file (such as a .jpg file) hosted on the site with a specified range header.

Extent of threat: HTTP.sys is the system HTTP stack in Microsoft Windows. It is utilized by IIS, as well as any other application or service that serves HTTP. Scanning behavior has already been observed “in the wild,” with attackers issuing not only the test HTTP header but also headers that result in DoS (system crash). 

Example/Test case:
To manually test your server use the Range bytes beginning with “0” and ending with the maximum range value.
    curl -v [ipaddress]/ -H “Host: test” -H “Range: bytes=0-18446744073709551615″ 
    wget -O /dev/null –header=”Range: 0-18446744073709551615″ http://[ip address]/

The above example will test for the vulnerability without resulting in DoS. The response, “Requested Header Range Not Satisfiable”, indicates that the server may be vulnerable. 

A Metasploit module has been developed to test for vulnerable servers. 

Mitigation:
Microsoft has released a security update which addresses this vulnerability. Windows security updates should be installed immediately. Please see Knowledge Base article 3042553 for more information.

Alert Logic currently has an IDS signature to detect this exploit attempt.

Administrators may disable IIS kernel caching. This mitigation technique is specific to IIS and deprecated following the release of the previously mentioned security update.

The attack can be detected/prevented by other IDS/IPS solutions. It should be noted however that the attack can be successful over SSL and so could bypass some IDS/IPS solutions that do not implement SSL decryption. 

Affected platforms:
Windows 7 32bit SP1
Windows 7 x64 SP1
Windows Server 2008 R2 x64 SP1
Windows Server 2008 R2 for Itanium-based SP1,
Windows 8 32bit
Windows 8 x64
Windows 8.1 32bit
Windows 8.1 x64
Windows Server 2012
WIndows Server 2012 R2
Windows Server 2008 R2 for x64 SP1 Core
Windows Server 2012 Core
Windows Server 2012 R2 Core

Additional resources:
SANS Webcast – https://www.sans.org/webcasts/100152?utm_medium=Email&utm_source=House+List&utm_content=Microsoft+Patch+MS-35+Email+Invite+NA+April+16+2015&utm_campaign=SANS+Webcasts
Security Bulletin –  https://technet.microsoft.com/en-us/library/security/ms15-034.aspx
Security Update – https://support.microsoft.com/en-us/kb/3042553
CVE-2015-1635 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635
Metasploit Module – https://github.com/rapid7/metasploit-framework/pull/5150
PoC – http://www.exploit-db.com/exploits/36773/