The MS15-034 patch recently issued by Microsoft fixes a critical vulnerability in several Windows operating systems. It is highly recommended that all servers running the vulnerable versions of Windows be updated immediately.
The vulnerability is caused by a bug in the HTTP.sys driver. This library may be used by various software components, but the most prominent one is the IIS web server. According to Microsoft’s Introduction to IIS Architectures, “HTTP.sys listens for HTTP requests from the network, passes the requests onto IIS for processing, and then returns processed responses to client browsers.” One of the benefits of using this library is kernel-mode caching. This feature seems to be the culprit of the issue, since Microsoft suggests disabling kernel-mode caching as a workaround to fixing the vulnerability, but at the cost of losing performance.
The reported bug results in an integer overflow when a huge value is specified in the Range header of an HTTP request. The Range header may be used by a client to specify a byte range that should be retrieved from the given server resource. In this case, the vulnerability occurs when the byte range refers to a value beyond the range of a 64-bit integer, thus causing an integer overflow. This vulnerability is assigned an ID of CVE-2015-1635 in the Common Vulnerabilities and Exposures system.
The vulnerability may be exploited in two ways. When the byte range starts at a number greater than 0, the request can crash the Windows operating system, successfully causing a denial of service. According to Microsoft, it is also possible to execute arbitrary remote code with administrator privileges, since the execution is in the web server’s context.
In order to test for this vulnerability, construct a simple GET request to the home page of your IIS server and add a Range header with the value “bytes=0-18446744073709551615”. A vulnerable server will return an HTTP status code 416 – Requested Range Not Satisfiable.
Figure 1 The vulnerable server returns a 416 error
On the other hand, below is a sample request and response from a patched server.
Figure 2 The patched server returns a 400 (Bad Request) error
Note that since this issue exists in IIS’s caching mechanism, the vulnerability will not manifest itself when requesting a non-cacheable resource. Based on our tests, the attack will only succeed on cacheable static file types such as .html, .htm, .jpeg, etc., or when requesting dynamic files that have the Output Caching feature enabled in kernel-mode.
Another interesting behavior noted was that it is not possible to mask the existence of the vulnerability by configuring a default or custom error page. A vulnerable server returns the default 416 error page even when a custom redirect is configured. While it may be possible to configure an intermediate proxy server to modify the request or response, the recommended way to fix the vulnerability is by updating the server with the latest patches from Microsoft.
If interested, a more detailed analysis of the vulnerability has been written up by many others online. Here is the link to a good one by SecuritySift.
The Micro Focus Security Research team has released a check in WebInspect that can detect this issue.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.