In-depth analysis of IIS 7 HTTP. sys Vulnerabilities

In-depth analysis of IIS 7 HTTP. sys Vulnerabilities

Impact scope of http. sys Vulnerabilities

With in-depth analysis by various parties, the impact of Windows HTTP. sys vulnerabilities on various regions is gradually emerging. Http. sys is the kernel driver for Microsoft Windows to process HTTP requests. According to data from the Internet broad-spectrum platform of aligreennet, there are about 4.44 million IIS systems deployed worldwide, according to the distribution statistics of affected IIS versions, IIS 7.5 has the largest deployment volume, accounting for 42.3% of the total deployment volume, which is also the focus of this Tracking Analysis.



In the following global IIS7.5 distribution chart, we can see that countries in the Americas, Europe, Asia, and other countries are seriously affected. Among them, the United States, China, the United Kingdom, and Germany are affected dense areas.

Http. sys Vulnerability Hazard Analysis

Many large enterprises or organizations are dealing with http. when a sys Vulnerability occurs, you must take a cautious attitude. You need to customize action plans based on your business conditions and network environment to avoid damages to the business system, this requires an in-depth understanding of the principles of the vulnerability to provide a suitable solution. Unknown attack! The principles of this vulnerability are analyzed below to help you better understand and defend against this high-risk security vulnerability.
Vulnerability trigger

According to the PoC (http://pastebin.com/ypURDPc4) disclosed on Pastebin, it is easy to construct a PoC that can trigger BSOD, such as the following request:
GET/welcome.png HTTP/1.1
Host: PoC
Range: bytes = 12345-18446744073709551615

You can install IIS 7.5 on Windows 7 SP1 system BSOD.

Vulnerability Principle

Here, we take IIS 7.5 installed on Windows 7 SP1 X64 as an example. The kernel version is 6.1.7601.18409, And the HTTP. sys version is 6.1.7601.17514.

On-site analysis of the BSOD crash, it is found that memory errors are caused by various situations. It is estimated that the vulnerability may cause memory damage after being triggered. Analyze the HTTP. sys processing process and perform troubleshooting to determine whether memory corruption occurs in the HTTP function! In UlBuildFastRangeCacheMdlChain, the call stack is as follows:



Function HTTP! UlBuildFastRangeCacheMdlChain is used to generate a cache MDL chain for the response message to describe the status line, header, and Message Body of the HTTP response. Each MDL on the chain calls nt! IoBuildPartialMdl.

Nt in MSDN! IoBuildPartialMdl is described as follows:

Note that the interval determined by VirtualAddress and Length must be a self-interval in the buffer zone described by SourceMdl, and the violation of this requirement causes memory corruption in this vulnerability.
 
3rd calls nt! When IoBuildPartialMdl is used to generate the message body MDL, the parameters are as follows:

 

 SourceMdl = 0xfffffa801a38cb60 SourceMdl.VirtualAddress =0xfffffa801ac94000SourceMdl.ByteCount = 0x2d315 SourceMdl.ByteOffset = 0x0TargetMdl = 0xfffffa801a2ed580TargetMdl.VirtualAddress =0xfffffa801ac97000TargetMdl.ByteCount =0xffffcfc7TargetMdl.ByteOffset = 0x39VirtualAddress =0xfffffa801ac97039 Length = 0xffffcfc7

The Length here is calculated based on the Range field in the HTTP request message header. The process is as follows:

First, in HTTP! The Range field is parsed in UlpParseRange to obtain RangeBegin and RangeEnd;

Then, calculate RangeLength = RangeEnd-RangeBegin + 1;

Finally, truncate RangeLength to 32 bits to get the Length.

Take the Range: bytes = 12345-18446731673709551615 in PoC as an example:

RangeBegin = 12345 = 0x3039RangeEnd = 18446744073709551615= 0xffffffffffffffffRangeLength =0xffffffffffffffff - 0x00003039 + 1 = 0xffffffffffffcfc7Length = 0xffffcfc7

Apparently, the Length is too long, leading to the violation of nt! IoBuildPartialMdl, which causes memory corruption.

Restrictions

Some verification measures in HTTP. sys may go to HTTP! Before the UlBuildFastRangeCacheMdlChain function, change RangeLength to a valid value, so that the vulnerability is not triggered.

For example, in IIS 7.5 of Windows 7 SP1 X64 system, the function HTTP! UlAdjustRangesToContentSize checks RangeLength and adjusts it if necessary, as shown below:

When RangeBegin> = ContentLength, the corresponding data is removed;

When RangeLength =-1, RangeLength = ContentLength-RangeBegin;

When RangeEnd + 1> = ContentLength, RangeLength = ContentLength-RangeBegin;

Therefore, to ensure that RangeLength is not corrected and can trigger the vulnerability, both RangeEnd + 1 and RangeEnd> ContentLength must be met, and RangeEnd can only be 0 xffffffffffffff.

In this way, RangeBegin must be smaller than ContentLength and cannot be 1 (otherwise, RangeLength = 0 xffffffffffffffff-1 + 1 =-1 and RangeLength is corrected ).

In other versions of the system, there may be more restrictions.

Code Execution

From the above analysis, we can see that triggering this vulnerability can overwrite data and cause memory corruption. In theory, there is a possibility of remote code execution. However, the minimum length of the data written out of the border is determined by ContentLength, which is usually a large value, even if the system crashes. Even if some large files exist on the target server, it can be used to write a small amount of data out of the border, and it is difficult to control the written data content and the target to be overwritten. Therefore, it is very difficult to use this vulnerability to execute code in a real environment.

Race against http. sys attacks

From the preceding analysis, we can see that attacks exploiting this vulnerability may take two forms: 1. The first one is relatively difficult and may easily lead to a blue screen of the server system; 2. If the attacker's level is relatively high, the attacker can precisely control the memory and execute code remotely to gain full control over the system. Especially when facing high-value reward attack targets, the probability of occurrence is higher. IT staff of enterprises or organizations need to consider the solution as soon as possible to avoid attacks before the security defense measures are launched. This should include at least the following steps:

First, you should first obtain the vulnerability notice and related information to understand the scope and depth of the vulnerability.

Furthermore, the announcement and interpretation should be combined with the actual IT business system conditions to fully determine the scope and extent of the impact (including the impact on its own business and its customers ), this judgment process requires data as the factual basis for accurate solution development. We recommend that you use a secure and reliable vulnerability scanning tool to upgrade the latest plug-in or rule repository to scan the entire network for security, obtain first-hand data to serve as the basis for decision-making;

Thirdly, IT personnel need to make a rectification schedule from the perspectives of business stability, hazard level, scope and importance, rectification and reinforcement work is performed on local networks, host devices, or service system devices in order of weight from high to low (we recommend that you invite vulnerability-related vendors and security vendors to participate ).

In this phase, security vendors need to provide professional technical assistance, such as vulnerability reinforcement consultation, verification of successful reinforcement, and understanding which devices of the security vendors have released or are about to release protection rules, after the upgrade, you can perform protection;

If you have not used any security device, you need to take temporary protection measures, including using solutions from vulnerability-related vendors and security vendors to get time for overall reinforcement, avoid the window time being attacked and lost before successful reinforcement and rectification, which is not uncommon among many 0-day events;

In addition, vulnerability-related vendors and security vendors need to collaborate to communicate with each other about the vulnerability principles and utilization process for a deeper explanation, developers of vulnerability-related vendors can gain an in-depth understanding of the vulnerability and conduct code-level rectification based on their own situations;

Then, after the reinforcement stage or the whole process is completed, you need to perform a complete scan again and manually verify the rectification and reinforcement results. If the technical investment permits, we recommend that you perform another log analysis on all aspects, observe whether any successful attack during rectification and reinforcement causes other losses to the system;

Finally, make a summary and record-filing after the overall response is completed.

IIS vulnerabilities

As IIS is used heavily, there are a lot of problems, which always give people a feeling of being unreliable. In fact, in 2014, Microsoft IIS experienced two high-risk vulnerabilities, of which 2nd have not yet provided patches or upgraded programs, we recommend that you use these IIS versions to keep an eye on the vendor's homepage to obtain the latest version, and consult the Green Alliance technology service staff!

IIS security function Bypass Vulnerability (MS14-076) (CVE-2014-4078)

Description: The IP Security Function of IIS8.0/8.5 does not correctly process inbound Web requests based on the "IP Address and Domain Restrictions" list. This allows remote attackers to send HTTP requests, attackers can exploit this vulnerability to bypass target rules.

Cgi crlf Injection Vulnerability (CVE-2011-5279)

Description: IIS 4 on Windows 2000 and Windows. x and 5. the CRLF Injection vulnerability exists in CGI Implementation of Version x, which allows remote attackers to construct malformed requests to modify environment variables through \ n characters (new lines) in the CGI request, so as to further execute arbitrary code.
 
In addition, IIS has made several major vulnerabilities in its history. The Green League Research Institute of Science and Technology specially sorted out the information to facilitate IT personnel of enterprises and organizations to learn from IT. Please pay special attention to the following:

Microsoft IISFastCGI Request Header Remote Overflow Vulnerability (MS10-065)

Description: For IIS servers with FastCGI enabled, remote attackers can trigger buffer overflow by submitting special HTTP requests, resulting in arbitrary code execution. Attackers can remotely execute arbitrary code.

Microsoft IIS authentication token Processing Remote Code Execution Vulnerability (MS10-040) (CVE-2010-1256)

Description: The IISWeb server does not properly allocate memory when parsing the authentication information received from the client. Remote attackers can send a specially crafted authentication message to express the working process ID (WPI). Extended Protection for Authentication must be enabled to exploit this vulnerability (disabled by default ). Attackers can remotely execute arbitrary code.

Microsoft IIS FTPd service NLST Command Remote Stack Overflow Vulnerability (MS09-053) (CVE-2009-3023)

Description: attackers can cause DoS attacks or remotely execute arbitrary code. The FTP server embedded in Microsoft IIS has the stack overflow vulnerability. If a remote attacker publishes an ftp nlst (name list) command containing wildcards to a directory with a special NAME, this overflow can be triggered, resulting in DOS or arbitrary code execution. A directory with a special name can be created only when attackers have write access permissions. Attackers can cause denial-of-service attacks or remotely execute arbitrary code.

Microsoft IIS script file name parsing error vulnerability

Description: IIS will automatically Parse in php format in the form of Runtime ([YYY] and [ZZZ] are changeable strings ). Remote attackers can exploit this vulnerability to break through the Web application's restrictions on the types of uploaded files, and execute arbitrary script code on the server to gain control over the server. Attackers can remotely execute arbitrary code.

Microsoft IIS 5.0WebDAV bypass authentication vulnerability (MS09-020) (CVE-2009-1122)

Description: The IIS WebDAV extension does not properly decode the URL of the special request. As a result, WebDAV applies incorrect configurations when processing the request. If the application configuration allows anonymous access, special requests can bypass authentication. Note that IIS still processes the request in the security context of the configured anonymous user account. Therefore, this vulnerability cannot be used to bypass ntfs acl, the file system ACL still imposes restrictions on anonymous user accounts. Attackers can bypass authentication to obtain unauthorized access.

Microsoft IIS WebDAVUnicode request bypass authentication vulnerability (MS09-020) (CVE-2009-1535)

Description: The IIS WebDAV function does not correctly process the Unicode ring when parsing the URI and sending back data concurrently. Remote attackers can bypass password-protected folder authentication by submitting malicious http get requests, or list, upload, or download files in the password-protected WebDAV Directory. Attackers can bypass authentication to perform unauthorized operations.

Microsoft iis asp Remote Code Execution Vulnerability (MS08-006) (CVE-2008-0075)

Description: The remote code execution vulnerability exists in the way IIS processes ASP Web page input, allowing attackers to send malicious input to the ASP page of the website. Attackers who successfully exploit this vulnerability can perform any operation on the IIS server with the WPI permission (which is configured as the network service account permission by default. Attackers can remotely execute arbitrary code.