SCF Advanced Search


Members
Stats
  • Total Posts: 32647
  • Total Topics: 9903
  • Online Today: 1300
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)











Author Topic: The SANS Institute has warned Windows IIS web server admins - "Pings of Death"  (Read 1292 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7444
  • KARMA: 312
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum


The SANS Institute has warned Windows IIS web server admins to get patching as miscreants are now exploiting a flaw in the software to crash websites.

The security bug (CVE-2015-1635) allows attackers to knock web servers offline by sending a simple HTTP request. Microsoft fixed this denial-of-service vulnerability on Tuesday with a patch numbered MS15-034: https://technet.microsoft.com/library/security/MS15-034

However, within hours of the update going live, people reverse engineered the new code to find out where the hole is and how to exploit it, and have started sending out the pings of death.

Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 systems running Microsoft's IIS web server are affected. The component at fault is HTTP.sys, a kernel-level driver that forwards requests for webpages and the like to the user-space server software, and caches static files: https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/a2a45c42-38bc-464c-a097-d7a202092a54.mspx?mfr=true

The problem stems from HTTP.sys not safely handling the Range header in a HTTP request; this mechanism is used to fetch part of a file from a server, which is sometimes handy for resuming downloads: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35
If you set the range way too large, it causes the Windows kernel to crash.

So far, miscreants have developed two exploits: one to test if a server is vulnerable, and one that crashes it. Microsoft has warned the security bug can be used to execute code remotely on the server, but so far, no one seems to have been able to do that.

"Due to the ease with which this vulnerability can be exploited, we recommend that you expedite patching this vulnerability," SANS notes in an advisory: https://isc.sans.edu/forums/diary/MS15034+HTTPsys+IIS+DoS+And+Possible+Remote+Code+Execution+PATCH+NOW/19583/

"We are seeing active exploits hitting our honeypots from 78.186.123.180. These scans use the denial-of-service version, not the 'detection' version of the exploit. The scans appear to be 'internet wide'."

To test if you are vulnerable, run the following code against your server to fetch a static file. If you get an error saying "Requested header range not satisfiable" you may be vulnerable; patched servers should reply: "The request has an invalid header name."

Code: [Select]
curl -v [ipaddress]/static.png -H "Host: test" -H "Range: bytes=0-18446744073709551615"
Change 0- to 20- to blue-screen-of-death a vulnerable box.

"There also appears to be an information disclosure vulnerability," adds Johannes Ullrich, CTO of the SANS Internet Storm Center.

"If the lower end of the range is one byte less then the size of the retrieved file, kernel memory is appended to the output before the system reboots. In my own testing, I was not able to achieve consistent information leakage. Most of the time, the server just crashes."

(ElReg)

Samker's Computer Forum - SCforum.info

Sponsored Links:




 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising