IIS 7 HTTP. sys vulnerability in-depth analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201561431
Type myhack58
Reporter 佚名
Modified 2015-04-20T00:00:00


http. sys vulnerability range As the parties in-depth analysis, across a domain managed by Windows HTTP. sys vulnerability of the case is gradually surfaced. Yesterday's announcement of the information mentioned in the Http. sys is a Microsoft Windows processing the HTTP request the kernel driver, according to nsfocus Internet broad-spectrum platform for data display, the global deployment of IIS the number of systems there are probably 4 4 4 thousand, from the moment the affected IIS versions distribution statistics, wherein the IIS 7.5 deployment the largest amount, accounting for more than 4 2. 3%, is also the trace analysis of focus.


In the following the global IIS7. 5 the distribution of the posture of the figure, you can see the Americas, Europe, Asia and other countries affected more serious, including the United States, China, the UK and Germany for the affected densely populated areas. ! http. sys vulnerability criticality analysis Many large companies or organizations in response to the http. sys vulnerability, they often need to adopt a cautious attitude, for the response measures needed, and in conjunction with their business situation and environment, a customized action plan to avoid business system to cause damage, which requires in-depth understanding of the vulnerability of the principle, in order to give a suitable solution. Unknown-tapping 焉知 Defense! The following of this vulnerability principles for analysis, so that we better understand and Defense of this a high-risk security vulnerabilities. The vulnerability is triggered According to the Pastebin on the disclosure of PoC(http://pastebin.com/ypURDPc4 very easy to construct can trigger the BSOD PoC, such as the following request: 1 GET /welcome. png HTTP/1.1 2 Host: PoC 3 Range: bytes=12345-18446744073709551615 Can be installed with IIS 7.5 of Windows 7 SP1 system BSOD's. The vulnerability principle Here to Windows 7 SP1 X64 system installed on IIS 7.5 as an example for analysis, its kernel version is 6. 1. 7 6 0 1. 1 8 4 0 9, HTTP. sys of version 6. 1. 7 6 0 1. 1 7 5 1 4 in. The BSOD crash site were analyzed and found to be in various cases of memory errors, thus presumably triggering the vulnerability may cause memory damage. HTTP. sys process flow analysis, stepwise investigation, may determine that the memory destruction occurs in the function of the HTTP! UlBuildFastRangeCacheMdlChain, the call stack is as follows: ! Function HTTP! UlBuildFastRangeCacheMdlChain for generating a response packet to the cache MDL chain, to describe the HTTP response status line, a header and a message body, the chain on the MDL by calling nt! IoBuildPartialMdl to generate. MSDN for the nt! IoBuildPartialMdl as follows: ! Note that this is explicitly requested by the VirtualAddress and Length to determine the interval must be SourceMdl description of buffer A from the range, it is on this requirement of the violation resulting in the vulnerability of memory destruction.

3rd call to nt! IoBuildPartialMdl to generate the message body of the MDL when the parameters are as follows: !

1 SourceMdl = 0xfffffa801a38cb60 2 SourceMdl. VirtualAddress =0xfffffa801ac94000 3 SourceMdl. ByteCount = 0x2d315 4 SourceMdl. ByteOffset = 0x0 5 TargetMdl = 0xfffffa801a2ed580 6 TargetMdl. VirtualAddress =0xfffffa801ac97000 7 TargetMdl. ByteCount =0xffffcfc7 8 TargetMdl. ByteOffset = 0x39 9 VirtualAddress =0xfffffa801ac97039 1 0 Length = 0xffffcfc7 Here the Length is according to the HTTP request message header in the Range field calculated, the process is as follows: First, in HTTP! UlpParseRange in the Range of the field parsing, to give the RangeBegin And RangeEnd; and Then, the calculation RangeLength = RangeEnd - RangeBegin + 1; and Finally, RangeLength truncated to 3 2 bits give the Length. To the PoC in the Range: bytes=1 2 3 4 5-1 8 4 4 6 7 4 4 0 7 3 7 0 9 5 5 1 6 1 5 as an example: 1 RangeBegin = 1 2 3 4 5 = 0x3039 2 RangeEnd = 1 8 4 4 6 7 4 4 0 7 3 7 0 9 5 5 1 6 1 5= 0xffffffffffffffff 3 RangeLength =0xffffffffffffffff - 0x00003039 + 1 = 0xffffffffffffcfc7 4 Length = 0xffffcfc7 Obviously due to the Length of ultra-long and result in a violation of the nt! IoBuildPartialMdl requirements, thereby causing the memory damage. Restrictions HTTP. sys in some of the validation measures may in into HTTP! UlBuildFastRangeCacheMdlChain function before RangeLength modified as a legitimate value, and thus does not trigger the vulnerability.

[1] [2] [3] next