How to handle the Range integer overflow vulnerability in Http. sys in IIS and how to fix it

I. Vulnerability Summary

On April 14, 2015, Microsoft issued a critical-level security bulletin MS15-034, numbered CVE-2015-1635, which said a vulnerability in Http. sys could allow remote code execution.

     Vulnerability description

Http. sys is a core component of the Windows operating system. It allows any application to communicate with each other over Http through its interfaces. Microsoft introduced a new http api and kernel-driven Http. sys in Windows 2003 Server to make Http service-based programs more efficient. In fact, after Windows XP installs SP2, Http. sys has already appeared in the system, but in fact the operating system does not actually use this kernel-level driver, and IIS 5.1 on XP does not use HTTP APIs.

According to the POC, this vulnerability is an integer overflow vulnerability. Microsoft Security announced that the biggest security impact is remote code execution.

    Vulnerability impact

Affected versions:

Windows 7.0/7/8 and Windows Server 8.1 R2/Server 2008/Server 2012 R2 of IIS 2012 and later versions.

    Vulnerability Analysis

The patch comparison shows that the code mentioned in POC appears in the modified part of the UlpParseRange function.

In the UlpParseRange function of the unpatched Http. sys file, the code is as follows.

We can see that the 64-bit integer is calculated directly without any necessary integer overflow check.

In the UlpParseRange function of the patched Http. sys File, modify the code as follows.

The RtlULongLongAdd function is used to calculate the Range length v18. This function performs the integer overflow check.

Let's take a look at the call to the RtlULongLongAdd function.

Only one of the unpatched Http. sys files calls the RtlULongLongAdd function.

The Http. in the sys file, a total of 13 RtlULongLongAdd functions are called to check integer overflow. This indicates that the system with vulnerabilities may have multiple processing procedures that may involve security issues caused by integer overflow.

Through the patch comparison, the modified functions are determined as follows.

After analysis, it is found that the integer overflow in the UlAdjustRangesToContentSize function is the key process that can cause the vulnerability to play a role.

This code uses the 64-bit integer calculation method directly, without checking for overflow. In the patch file, replace it with the RtlULongLongAdd function.

The function of this part of the code is to determine whether the range of obtained file offset will exceed the data length of the requested cache file. If it exceeds the value, the read length will be modified to a proper size to prevent cross-border data access. However, due to integer overflow, the code that determines the out-of-boundary is invalid, so that the read length is not modified, resulting in cross-boundary data access with a controllable length value.

However, to successfully exploit this vulnerability, some necessary conditions are required. The details of the vulnerability need to be further analyzed.

    Vulnerability verification

You can use the following Python program to detect system vulnerabilities.

Import socket
Import random

IpAddr = "192.168.154.130"
HexAllFfff = "18446744073709551615"

Req1 = "GET/HTTP/1.0 \ r \ n"
Req = "GET/HTTP/1.1 \ r \ nHost: stuff \ r \ nRange: bytes = 0-" + hexAllFfff + "\ r \ n"

Print "[*] AuditStarted"
Client_socket = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
Client_socket.connect (ipAddr, 80 ))
Client_socket.send (req1)
BoringResp = client_socket.recv (1024)

If "Microsoft" not in boringResp:
Print "[*] Not IIS"
Exit (0)

Client_socket.close ()
Client_socket = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
Client_socket.connect (ipAddr, 80 ))
Client_socket.send (req)
GoodResp = client_socket.recv (1024)

If "Requested RangeNot Satisfiable" in goodResp:
Print "[!] Looks VULN"
Elif "The requesthas an invalid header name" in goodResp:
Print "[*] Looks Patched"
Else:
Print "[*] Unexpected response, cannot discern patch status"

If "Looks VULN" is printed, the system has a vulnerability.

II. ZoomEye emergency summary

It is known that the Chuangyu security research team uses the network space search engine ZoomEye to perform a full-network search. The following figure shows the percentage of IIS versions that may be affected in the current network space:

▲Proportion of versions used by affected websites

▲Distribution of regions affected by IIS vulnerabilities on national websites

In addition, the ZoomEye search results show that the total number of websites affected by vulnerabilities in China reaches 795,317, exceeding 1/5 of the total number of websites in China. In terms of regional distribution, there are 27, 39 websites in the top place in Beijing, it is imperative to fix vulnerabilities. Ask the network administrator to fix the patch as soon as possible. The official patch download address is:

Https://support.microsoft.com/zh-cn/kb/3036653.

III. Repair suggestions

Use the Windows Update mechanism and select kb30.053 security update for system upgrade.

This vulnerability online verification address: http://www.scanv.com/lab

4. Related Resource Links

Https://technet.microsoft.com/zh-cn/library/security/ms15-034