Microsoft recently patched a critical remote code execution vulnerability in the HTTP Protocol Stack (http. sys), used by the Windows built-in IIS server for processing the HTTP requests. The vulnerability is assigned with an identifier CVE-2021-31166 and has a CVSS score of 9.8. This is a wormable vulnerability and is also said to attack the Windows Remote Management (WinRM) service on the unpatched machines that are exposed to the public. Fortunately, according to the vendor advisories, only Windows 10 and Servers of 2004 and 20H2 are affected by this vulnerability. As a result, only a subset of systems is vulnerable to this attack out of the 2 million systems exposing the vulnerable WinRM service online.
The vulnerability came into the picture due to the improper tracking of pointers when processing the network packet objects used while sending HTTP requests. So the attacker can exploit the flaw by sending a specially crafted packet to the victim server that uses the HTTP Protocol Stack to process these packets. The exploitation of this flaw will at least lead to a Blue Screen of Death (BSOD) as HTTP.sys is implemented as a kernel-mode device driver, and in the worst case, it will lead to remote code execution. This RCE is said to be wormable since it can be used to infect multiple systems over the network like a chain reaction without requiring any user interaction. Home PCs are safe from this attack unless they have a vulnerable HTTP Protocol Stack or manually enabled the WinRM service.
The security researcher Jim DeVries found that this would also impact WinRM service apart from the IIS server since it uses the vulnerable http. sys. The Enterprise edition of Windows has WinRM service enabled by default whereas, Home PCs are safe from this attack unless they have WinRM service enabled or vulnerable HTTP Protocol Stack. So the chances of this vulnerability affecting WinRM servers are high in corporate environments.
Security researcher Axel Souchet published the PoC for exploiting this vulnerability recently. It also contains a video demonstrating the BSOD after successfully running the script on the targeted system. The below is the image of the code snippet where exactly the bug comes into the picture.
Image Credits: @0vercl0k
The bug actually exists in the http!UlpParseContentCoding function of the code. http!Ulp ParseContentCoding is basically where the parsing of ‘Accept-Encoding’ in the HTTP request header takes place. This function contains a local LIST_ENTRY, a circular doubly linked list used to append items to it. Once the items are appended to this list, it proceeds to the request structure. But it won’t empty the LIST_ENTRY details. The issue occurs when an attacker can trigger a code path to free up entries in this local list. The attacker can make this list empty by freeing each entry in the list, making the entire list dangling in the request object. This would make the LIST_ENTRY to be corrupted and the kernel crash leading to a BSOD.
An unauthenticated attacker who successfully exploited the vulnerability can remotely execute arbitrary code on the affected systems or even cause a denial of service (BSOD).
All Microsoft Windows architectures of versions 2004 and 20H2 utilizing the HTTP Protocol Stack (http.sys) to process packets are affected.
- Microsoft Windows 10 Version 2004
- Microsoft Windows 10 Version 20H2
- Microsoft Windows Server, version 2004 (Server Core installation)
- Microsoft Windows Server, version 20H2 (Server Core Installation)
Microsoft has released a security fix in its monthly Patch Tuesday updates for May 2021. Apply the respective KB to the related OS.
SanerNow detects these vulnerabilities and automatically fixes them by applying security updates. We strongly recommend applying the security updates as soon as possible following the instructions published in our support article.