Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE

Analyzing CVE-2015-1635 from cause to cure

SasiSiddharth Absent Member.
Absent Member.
0 2 40.2K

The MS15-034 patch recently issued by Microsoft fixes a critical vulnerability in several Windows operating systems. It is highly recommended that all servers running the vulnerable versions of Windows be updated immediately. 

The vulnerability is caused by a bug in the HTTP.sys driver. This library may be used by various software components, but the most prominent one is the IIS web server. According to Microsoft’s Introduction to IIS Architectures, “HTTP.sys listens for HTTP requests from the network, passes the requests onto IIS for processing, and then returns processed responses to client browsers.” One of the benefits of using this library is kernel-mode caching. This feature seems to be the culprit of the issue, since Microsoft suggests disabling kernel-mode caching as a workaround to fixing the vulnerability, but at the cost of losing performance.

The reported bug results in an integer overflow when a huge value is specified in the Range header of an HTTP request. The Range header may be used by a client to specify a byte range that should be retrieved from the given server resource. In this case, the vulnerability occurs when the byte range refers to a value beyond the range of a 64-bit integer, thus causing an integer overflow. This vulnerability is assigned an ID of CVE-2015-1635 in the Common Vulnerabilities and Exposures system.

The vulnerability may be exploited in two ways. When the byte range starts at a number greater than 0, the request can crash the Windows operating system, successfully causing a denial of service. According to Microsoft, it is also possible to execute arbitrary remote code with administrator privileges, since the execution is in the web server’s context.

In order to test for this vulnerability, construct a simple GET request to the home page of your IIS server and add a Range header with the value “bytes=0-18446744073709551615”. A vulnerable server will return an HTTP status code 416 – Requested Range Not Satisfiable.


Figure 1 The vulnerable server returns a 416 error 

On the other hand, below is a sample request and response from a patched server.


Figure 2 The patched server returns a 400 (Bad Request) error 

Note that since this issue exists in IIS’s caching mechanism, the vulnerability will not manifest itself when requesting a non-cacheable resource. Based on our tests, the attack will only succeed on cacheable static file types such as .html, .htm, .jpeg, etc., or when requesting dynamic files that have the Output Caching feature enabled in kernel-mode. 

Another interesting behavior noted was that it is not possible to mask the existence of the vulnerability by configuring a default or custom error page. A vulnerable server returns the default 416 error page even when a custom redirect is configured. While it may be possible to configure an intermediate proxy server to modify the request or response, the recommended way to fix the vulnerability is by updating the server with the latest patches from Microsoft.

If interested, a more detailed analysis of the vulnerability has been written up by many others online. Here is the link to a  good one by SecuritySift

The Micro Focus Security Research team has released a check in WebInspect that can detect this issue.

 

2 Comments
Not applicable

dynamic file such as .aspx. The attack will only succeed on cacheable static file types such as .html, .htm, .jpeg, etc."

 

is this a true statement? Can you provide a link where it says that dynamic content CANNOT be cached in kernel caching.

 

This seems to indicate that it's possible to cache dynamic content in kernel  caching, albeit with some limitations: http://aspalliance.com/1533_ASPNET_Performance_Tips.7

 

Did this change in newer IIS versions?

SasiSiddharth Absent Member.
Absent Member.

Thank you Bart12366 for pointing out this feature. Yes, IIS does allow kernel caching of dynamic files, but only if the files satisfy certain conditions. I have edited the post to reflect this piece of information. I appreciate your contribution and thank you for being an active reader of our blog.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.