HTTP.sys Vulnerability CVE-2015-1635 MS15-034 Johannes B. Ullrich, Ph.D. 1.

Slides:



Advertisements
Similar presentations
GHOST glibc gethostbyname() Vulnerability CVE Johannes B. Ullrich, Ph.D. SANS Technology Institute
Advertisements

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Firewall Vulnerabilities Presented by Vincent J. Ohm.
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/031 A Real World Attack: wu-ftp Cao er kai ( 曹爾凱 )
Computer Security and Penetration Testing
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
MEC /19/2017 7:51 PM © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Process-to-Process Delivery:
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
Networking Basics TCP/IP TRANSPORT and APPLICATION LAYER Version 3.0 Cisco Regional Networking Academy.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
1 Nessus - NASL Marmagna Desai [592- Project]. 2 Agenda Introduction –Nessus –Nessus Attack Scripting Language [ N A S L] Features –Nessus –NASL Testing.
Hyung-Min Lee©Networking Lab., 2001 Chapter 11 User Datagram Protocol (UDP)
Computer Security and Penetration Testing
OS Hardening Justin Whitehead Francisco Robles. ECE Internetwork Security OS Hardening Installing kernel/software patches and configuring a system.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
Attacking Applications: SQL Injection & Buffer Overflows.
Sublayers Under the Network Layer: BOOTP & DHCP
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
POSTER TEMPLATE BY: Whitewater HTTP Vulnerabilities Nick Berry, Joe Joyce, & Kevin Vaccaro. Syntax & Routing Attempt to capture.
Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.
Transmission Control Protocol TCP. Transport layer function.
CS 4010 Hacking Samba Server Vulnerabilities. Recon Telnet headers claim the following: –Red Hat Linux release 9 (Shrike) –Kernel smp on an i686.
IBM OS/2 Warp Mike Storck Matt Kerster Mike Roe Patrick Caldwell.
CS 241 Section Week #12 (04/30/09). Announcements TA Final review: -Either Tuesday May 12, Or Wednesday May 13, 2009 (2:00pm - 4:00pm) || (6:30pm.
Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published:
SEC835 Runtime integrity and resource control. Application based Denial of Service Application can crash for many reasons and at any time due to programming.
Computer Network Forensics Lecture 6 – Intrusion Detection © Joe Cleetus Concurrent Engineering Research Center, Lane Dept of Computer Science and Engineering,
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Introduction to Honeypot, measurement, and vulnerability exploits
Integrating and Troubleshooting Citrix Access Gateway.
Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.
Module 7: Advanced Application and Web Filtering.
DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
EC week Review. Rules of Engagement Teams selected by instructor Host will read the entire questions. Only after, a team may “buzz” by raise of.
Your friend, Bluestem. What is Bluestem? “Bluestem is a software system which enables one or more high-security SSL HTTP servers in a domain (entrusted.
Lecture 4 Mechanisms & Kernel for NOSs. Mechanisms for Network Operating Systems  Network operating systems provide three basic mechanisms that support.
S ECURE P ROGRAMMING 6. B UFFER O VERFLOW (S TRINGS AND I NTEGERS ) P ART 2 Chih Hung Wang Reference: 1. B. Chess and J. West, Secure Programming with.
Slammer Worm By : Varsha Gupta.P 08QR1A1216.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
GHOST 2.0: What you need to know about the glibc getaddrinfo vulnerability (CVE ) Johannes B. Ullrich, Ph.D, SANS
1 Kyung Hee University Chapter 11 User Datagram Protocol.
© Janice Regan, CMPT 128, Jan 2007 CMPT 371 Data Communications and Networking HTTP 0.
TMG Client Protection 6NPS – Session 7.
Penetration Test Debrief
Layered Architectures
Configuring TMG as a Firewall
Patching firmware, computers, internet of things and more
6.6 Firewalls Packet Filter (=filtering router)
Transport Layer Our goals:
IIS.
Process-to-Process Delivery:
Configuring Internet-related services
Software Security Lesson Introduction
Lecture 3: Secure Network Architecture
Severity and Exploitability Index
Designing IIS Security (IIS – Internet Information Service)
Process-to-Process Delivery: UDP, TCP
Presentation transcript:

HTTP.sys Vulnerability CVE MS Johannes B. Ullrich, Ph.D. 1

Outline What is HTTP.sys? What does the “Range” header do? How is it exploited? How to test if you are vulnerable Examples of Current Exploits in the Wild 2

No Logo? No Catchy Name HTTP deRANGEd 3

HTTP.sys Parses HTTP Requests Caches response using kernel caching If a “Range” header is used, extracts specific portion of page from Kernel Cache to pass to client Used in IIS 6 and later. NOT JUST USED BY IIS (part of Windows) 4

Range Header (RFC 7233) Used for partial downloads Often used to complete downloads Mobile clients (podcast clients) download pages in “chunks”. GET / HTTP/1.1 Host: test Range: bytes=0-5,

Range Header Response HTTP/ Partial Content Content-Type: multipart/byteranges; boundary=513da661b3ac6e --513da661b3ac6e Content-type: text/html; charset=UTF-8 Content-range: bytes 0-5/ da661b3ac6e Content-type: text/html; charset=UTF-8 6

No Upper Limit “Since there is no predefined limit to the length of a payload, recipients must anticipate potentially large decimal numerals and prevent parsing errors due to integer conversion overflows.” (RFC 7233) 7

Exploit IIS limits the range to a 64 Bit Unsigned number. Maximum Number: 2^ xFFFFFFFFFFFFFF If lower end 0 -> No exploit 8

Exploit (2) Lower end > Size of file: No exploit Lower end > 0 and <=Size of file: Exploit!! Integer Overflow 9

Exploit Request GET / HTTP/1.1 Host: test Range: bytes=x X=0 no exploit X>0 and X<Filesize Exploit 10

Information Leak If “lower end” = “file size - 1” Not reproducable in my testing Dumps kernel memory (same segment as “cache”?) Maximum size depends on size of file 11

Tests Send large HTTP Range request with lower end 0.. Other Software using http.sys netsh http show servicestate Check if patch is installed wmic qfe | find KB

Other Protections I(D|P)S: Does not work for SSL Host based IPS e.g. Symantec has signatures that block exploit WAF Authentication: Disable Anonymous Access 13

Current Exploits Many vulnerability scans (range starts at “0”) Some random DoS exploit attempts No Information Disclosure exploits in honeypot so far Reports of more targeted exploit attempts. 14

Risk Exposed Public Systems are at immediate risk of DoS Memory Disclosure likely “stable” in a couple days Remote Execution unlikely (in the near future) 15

What to do next? Expedite Patching MS Consider “virtual patching” via WAF until patch is applied and verified Add IDS rules to detect exploit attempts Please… share anything you see! Is it as bad as Heartbleed? No… 16

Questions? Daily Podcast… 17

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.