MS15-034 – Range Header Integer Overflow

The Internet is all a buzz again with the latest Microsoft vulnerability, affecting HTTP.sys. We have been getting a number of questions about the severity and scope of impact.

Impact

To determine if you are applications or hosts are impacts consider the following items:

  • Does it use IIS 6.0 or Later?
  • Does it use HTTP sever API?
  • Does it use the WFC HttpListener and related classes?

If you are not using IIS but are unsure if your application might be using HTTP.sys, you can get a good indication with the netstat command.

  1. Open a command prompt as Administrator
  2. Execute: netstat –ab
  3. Locate the port your application uses in the listing, if the process name shows up as “Cannot obtain ownership information” and it acts as an HTTP server then it is very likely affected.

There is also python script written by David Kennedy at TrustedSec for checking IIS – supports HTTP/HTTPS.

# Quick MS15-034 checker that supports HTTP/HTTPS
# Written by David Kennedy @ TrustedSec
# Blog: https://www.trustedsec.com/april-2015/ms15-034-range-header-integer-overflow/
import sys
import urllib2
try:
  url = "%s" % sys.argv[1]

except:
  print ''
  print "MS15-034 Checker written by Dave Kennedy @ TrustedSec"
  print "Original PoC used from here http://pastebin.com/ypURDPc4"
  print "Supports HTTP/HTTPS"
  print "Usage: python ms15-034.py <http(s)://url>"
  print ''
  exit(0)
 
request = urllib2.Request(url)
request.add_header('Range', 'bytes=0-18446744073709551615')
opener = urllib2.build_opener()

try:
  feeddata = opener.open(request).read()
  print "[*] Does not appear to be vulnerable. Congrats! Or if you are a hacker, sorry, sux :P"

except Exception, e:
  if "Requested Range Not Satisfiable" in str(e):
    print "[*] Server appears to be vulnerable - got requested 'Request Range Not Satisfiable'."

  else:
    print "[*] Does not appear to be vulnerable or got a different response. Printing response: " + str(e)

According to reports, an error response of “Requested Range Not Satisfiable” means the system likely vulnerable. A response of “The request has an invalid header name” means the system has been patched.

You can also use curl to test with the following curl command:

curl -v http(s)://hostname/ -H "Host: hostname" -H "Range: bytes=0-18446744073709551615" -k

Be aware that other systems may also have this vulnerability, but gave indeterminate results because of preceding errors (no authentication, file not found, etc.)

Local test on affected system:

Patches are available from Microsoft for Windows 2003, Vista, 2008, 7, 2008 R2, 8, 2012, 8.1, and 2012 R2. As detection of this vulnerability is prone to false positives, the following command should be issued on the host in question to test for the MS15-034 patch:

wmic qfe | find "KB3042553"

If the results are blank, the patch has not been applied.

Risk

To understand the risk it is import to know what HTTP.sys does.  Here is what Microsoft’s documentation has to say about it,

HTTP.sys provides the following benefits:

  • Kernel-mode caching. Requests for cached responses are served without switching to user mode.
  • Kernel-mode request queuing. Requests cause less overhead in context switching because the kernel forwards requests directly to the correct worker process. If no worker process is available to accept a request, the kernel-mode request queue holds the request until a worker process picks it up.
  • Request pre-processing and security filtering.

Because the software is running in kernel mode successful exploitation can have serious consequences for the system. Unlike exploits in user mode software, kernel mode exploits may bypass memory protections, possibly allowing an attacker to cause a system crash. Microsoft indicates the vulnerability could allow remote code execution, and published work others have does that is currently circulation appears to offer partial confirmation. If this proves to be true the vulnerability could be used to obtain system level access.

How it works

The vulnerability is very similar to those that have been seen in the Apache web server in the past. A value is passed to the HTTP Range header that will over flow the 64-bit integer the software allocates to store it, when converted from the text of the HTTP request. Normally the Range header is used by clients to request part of a document. Trigging the overflow may allow an attacker to cause memory or file access outside the expected boundaries.

Our Advice

Patch all Windows servers to remove the vulnerability from your environment. Consider emergency patching procedures for any public facing assets using IIS or the HTTP server APIs.

 

This blog post was written by Geoff Walton of TrustedSec.

Contributions from:

Adrian Crenshaw (Irongeek)

David Kennedy (HackingDave)

David Kennedy

Author: David Kennedy

Security expert, keynote speaker, avid gamer and the go-to for protecting companies from threats.