In 4 month's patch day, Microsoft by marking“high-risk”MS15-0 3 4 patch fix HTTP. SYS a remote code Vulnerability, CVE-2 0 1 5-1 6 3 5 It. According to Microsoft Bulletin<https://technet.microsoft.com/en-us/library/security/MS15-034>the call, when the vulnerability exists in the HTTP server receives a carefully constructed HTTP request, may trigger a remote code on the target system with system permissions implementation.
This is for the server system The impact is not small security vulnerabilities, any installation of a Microsoft IIS 6.0 or above Windows Server 2 0 0 8 R2/Server 2 0 1 2/Server 2 0 1 2 R2 and Windows 7/8/8. 1 operating system are affected by this vulnerability.
From Microsoft's Bulletin Acknowledgements of view, this vulnerability is by“Citrix Security Response Team”the United States Citrix the company's Security Response Team discovered that, from the online publication of information point of view, a Citrix company, is a company engaged in cloud computing, virtualization, virtual desktop and remote access technology in the field of high-tech enterprises. This also sparked on Twitter a lot about the vulnerability whether it is for a Citrix company of APT attacks found in the questions, and just before Microsoft released a patch less than 1 to 2 hours, there will be an anonymous user on Pastebin website on a patch for this vulnerability can be used in the proof-of-concept attack code, it seems also confirmed this point.
The author and 360Vulcan friends, get the information, began for its in-depth analysis, and in 1 2 hours within the preliminary analysis of the clear vulnerabilities of the principles and use of relevant information, the following is our analysis of some results to share to everyone, in order to better promote the safety of the community understanding and Defense of this a high-risk security vulnerabilities.
Conjunction with the Pastebin website, posted on the information<http://pastebin.com/ypURDPc4>and the Microsoft announcement, we know this is a bit on HTTP. SYS of an integer overflow vulnerability, according to the Pastebin website, python code, we know that by giving the IIS server to send this format of HTTP requests, you can trigger the detection of this vulnerability:
GET / HTTP/1.1