Presentation is loading. Please wait.

Presentation is loading. Please wait.

HTTP.sys Vulnerability CVE-2015-1635 MS15-034 Johannes B. Ullrich, Ph.D. 1.

Published byJuliet Cannon Modified over 9 years ago

Similar presentations

Presentation on theme: "HTTP.sys Vulnerability CVE-2015-1635 MS15-034 Johannes B. Ullrich, Ph.D. 1."— Presentation transcript:

1 HTTP.sys Vulnerability CVE-2015-1635 MS15-034 Johannes B. Ullrich, Ph.D. jullrich@sans.edu 1

2 Outline What is HTTP.sys? What does the “Range” header do? How is it exploited? How to test if you are vulnerable Examples of Current Exploits in the Wild 2

3 No Logo? No Catchy Name HTTP deRANGEd 3

4 HTTP.sys Parses HTTP Requests Caches response using kernel caching If a “Range” header is used, extracts specific portion of page from Kernel Cache to pass to client Used in IIS 6 and later. NOT JUST USED BY IIS (part of Windows) 4

5 Range Header (RFC 7233) Used for partial downloads Often used to complete downloads Mobile clients (podcast clients) download pages in “chunks”. GET / HTTP/1.1 Host: test Range: bytes=0-5,10-15 5

6 Range Header Response HTTP/1.1 206 Partial Content Content-Type: multipart/byteranges; boundary=513da661b3ac6e --513da661b3ac6e Content-type: text/html; charset=UTF-8 Content-range: bytes 0-5/15 --513da661b3ac6e Content-type: text/html; charset=UTF-8 6

7 No Upper Limit “Since there is no predefined limit to the length of a payload, recipients must anticipate potentially large decimal numerals and prevent parsing errors due to integer conversion overflows.” (RFC 7233) 7

8 Exploit IIS limits the range to a 64 Bit Unsigned number. Maximum Number: 2^64-1 18446744073709551615 0xFFFFFFFFFFFFFF If lower end 0 -> No exploit 8

9 Exploit (2) Lower end > Size of file: No exploit Lower end > 0 and <=Size of file: Exploit!! Integer Overflow 9

10 Exploit Request GET / HTTP/1.1 Host: test Range: bytes=x- 18446744073709551615 X=0 no exploit X>0 and X<Filesize Exploit 10

11 Information Leak If “lower end” = “file size - 1” Not reproducable in my testing Dumps kernel memory (same segment as “cache”?) Maximum size depends on size of file 11

12 Tests Send large HTTP Range request with lower end 0.. Other Software using http.sys netsh http show servicestate Check if patch is installed wmic qfe | find KB3042553 12

13 Other Protections I(D|P)S: Does not work for SSL Host based IPS e.g. Symantec has signatures that block exploit WAF Authentication: Disable Anonymous Access 13

14 Current Exploits Many vulnerability scans (range starts at “0”) Some random DoS exploit attempts No Information Disclosure exploits in honeypot so far Reports of more targeted exploit attempts. 14

15 Risk Exposed Public Systems are at immediate risk of DoS Memory Disclosure likely “stable” in a couple days Remote Execution unlikely (in the near future) 15

16 What to do next? Expedite Patching MS15-034 Consider “virtual patching” via WAF until patch is applied and verified Add IDS rules to detect exploit attempts Please… share anything you see! Is it as bad as Heartbleed? No… 16

17 Questions? jullrich@sans.edu https://isc.sans.edu/presentations @johullrich Daily Podcast… 17

Download ppt "HTTP.sys Vulnerability CVE-2015-1635 MS15-034 Johannes B. Ullrich, Ph.D. 1."

Similar presentations

GHOST glibc gethostbyname() Vulnerability CVE-2015-0235 Johannes B. Ullrich, Ph.D. SANS Technology Institute https://isc.sans.edu.

GHOST glibc gethostbyname() Vulnerability CVE Johannes B. Ullrich, Ph.D. SANS Technology Institute
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.

Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Firewall Vulnerabilities Presented by Vincent J. Ohm.

Firewall Vulnerabilities Presented by Vincent J. Ohm.
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/031 A Real World Attack: wu-ftp Cao er kai ( 曹爾凱 )

Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/031 A Real World Attack: wu-ftp Cao er kai ( 曹爾凱 )
Computer Security and Penetration Testing

Computer Security and Penetration Testing
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
MEC 2014 4/19/2017 7:51 PM © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

MEC /19/2017 7:51 PM © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Process-to-Process Delivery:

Process-to-Process Delivery:
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Brad Baker CS526 May 7 th, 2008 5/7/2008 1. 1. Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
Networking Basics TCP/IP TRANSPORT and APPLICATION LAYER Version 3.0 Cisco Regional Networking Academy.

Networking Basics TCP/IP TRANSPORT and APPLICATION LAYER Version 3.0 Cisco Regional Networking Academy.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

Similar presentations

Ads by Google