MS15-034 – HTTP.sys Advisory


By Mark Hofman, Terry Darling, and Simon Treadaway


1- Background on Microsoft Security Bulletin MS15-034 (CVE CVE-2015-1635)

Microsoft earlier this week released a patch for both servers and workstations, MS15-034. This patch addresses an issue in the file http.sys. The http.sys file is used by the operating system to accept and process HTTP and HTTPS requests. At the time of release the information provided by Microsoft was that remote code exploitation may have been possible. Since its release on Tuesday Proof Of Concept (PoC) code has been published on the Internet. The initial versions would only check for a particular response from the server. However these have now morphed into simple requests that will cause a Denial of Service (DoS) and cause the Windows system to blue screen.

The vulnerability may result in a complete takeover or disruption of systems and services through a successful DoS attack. Microsoft states it has not received any information to indicate that this vulnerability has yet been publicly used in attacks, however since its release PoC code has emerged, and multiple threat intelligence honeypots are detecting scans for this vulnerability utilising the strings that result in a DoS.

Mass scale exploitation of Internet-facing web-servers having the vulnerability is expected.

As exploitation does not require authentication or an indicator of compromise the most effective response is to implement remediation measures as soon as reasonably possible.


2- How does it work

The vulnerability is in the main component of the Windows HTTP protocol stack known as http.sys and is caused when http.sys improperly parses what Microsoft describes as “specially crafted HTTP requests”. The specially crafted packet is a header request sent to the server with a RANGE parameter and some values.

 

GET / HTTP/1.1 Host: MS15034 Range: bytes=0-18446744073709551615

 

Successful exploitation of the vulnerability could allow an attacker to remotely execute arbitrary code in the context of the IIS account being used (the default IIS user account is SYSTEM) and to thereby gain full remote access to the affected Windows system. It is however more likely that the DoS version of the code will be used to disrupt services.

Further technical details can be found at:


3- Who is affected

Any Microsoft server or workstation that accepts HTTP/HTTPS traffic is likely to be affected by this issue. Whilst most of the information available focuses on IIS, as this is the main application that utilises this particular file, it is not the only product running in Windows environment that will be vulnerable.

Microsoft states the following versions of their operating system is vulnerable:

  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for x64-based Systems
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2012 (Server Core installation option)
  • Windows Server 2012 R2 (Server Core installation option)


4- How can you identify if you are vulnerable

The mainstream testing tools such as Nessus, Nexpose and nmap have updated scripts and signatures to perform checks.

The simplest method to test if your machine is vulnerable is to perform the following check from either a linux system or windows system (that has curl):

$ curl -v [ipaddress]/ -H “Host: test” -H “Range: bytes=0-18446744073709551615”


if the response includes “Requested Header Range Not Satisfiable” the server is likely vulnerable.

 

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML
4.01//EN””http://www.w3.org/TR/html4/strict.dtd”>
<HTML><HEAD><TITLE>Requested Range Not Satisfiable</TITLE>
<META HTTP-EQUIV=”Content-Type” Content=”text/html; charset=us-ascii”></HEAD>
<BODY><h2>Requested Range Not Satisfiable</h2>
<hr><p>HTTP Error 416. The requested range is not satisfiable.</p>
</BODY></HTML>


Some PowerShell alternatives are available but testing suggests these scripts may not be reliable.


5- How can you remediate

To fix the issue the only approach at this time is to patch and apply the fix released earlier this week (i.e. MS15-034). Priorities:

  1. Internet facing Microsoft web servers should receive first priority, especially those utilising IIS as the web server.
  2. As a second priority any remaining internet facing Windows systems should be patched.
  3. Internal servers utilising IIS
  4. Remaining internal servers
  5. Workstations (unless these are running IIS in which case they should be treated as a level 3 priority)

Alternate options:

  • Disable IIS caching (IIS 7 upwards) – This will prevent the attack from being successful however will have significant impact on the performance of the server and is not a first choice.
  • Intrusion Prevention Signatures – The main Intrusion Detection vendors as well as those with Next Generation firewalls will already have signatures for this attack. Please be aware that effectiveness depends on the signature.
    • The more effective signatures will target the RANGE request as that means it will identify and drop all requests. It is not a parameter that is regularly passed in a normal application.

Given the criticality of the vulnerability Shearwater’s recommendation is to patch in accordance with the priorities outlined above.


6- How can we help

If required there are several ways in which we can assist. These include:

  • Identifying vulnerable services
  • Prioritising patch deployment
  • Assisting with risk management

Shearwater is dedicated to its customers’ security, and are always happy to provide advice. If any assistance is required please contact us via email to: seh@shearwater.com.au or via phone on: 1300 228 872

SANS Canberra Community Night

When: Wednesday, 25 March, 6:30 to 8:00 pm

Where: Hotel Realm, 18 National Circuit, Barton, Canberra

Topic: Developing Cyber Threat Intelligence

Speaker: Adrien De Beaupre, SANS Certified Instructor

Price: Free but places are strictly limited

RSVP: email anz@sans.org by Monday, 23 March

One of the issues facing many organizations is obtaining usable, accurate, timely, and tailored Cyber Threat Intelligence (CTI). CTI is required for organizations in order to maintain situational awareness on the internal and external threat environment that they operate in. Particularly problematic is that within the IT Security industry several services, while purported to be an advanced cyber threat intelligence source, use mostly open source intelligence with little value add analysis and intelligence built into the product by the vendor. This talk will discuss how to obtain CTI from a variety of open sources, including feeds from vendors, and creating your own enhanced by other sources with the appropriate people-process technologies. As well, some of the issues and challenges faced within an organization attempting to develop a CTI capability for internal use or as a product offering will be discussed.

 

 

SANS Secure Canberra 2015

Mon, Mar 16 – Sat, Mar 28, 2015

SEC401: Security Essentials Bootcamp Style
SEC504: Hacker Tools, Techniques, Exploits and Incident Handling
SEC542: Web App Penetration Testing and Ethical Hacking
FOR408: Windows Forensic Analysis
MGT433: Securing The Human: How to Build, Maintain and Measure a High-Impact Awareness Program

 

 

SANS Training – Sydney 2014

This Event is now closed. Please check upcoming events here:

SEC480: Implementation & Auditing of the Australian Signals Directorate (ASD) Top 4 Mitigation Strategies
SEC760: Advanced Exploit Development for Penetration Testers
FOR572: Advanced Network Forensics and Analysis
SEC401: Security Essentials Bootcamp Style
SEC504: Hacker Techniques, Exploits & Incident Handling
SEC575: Mobile Device Security and Ethical Hacking
SEC579: Virtualization and Private Cloud Security

 

 

SANS Sydney Community Presentation

Topic: Self-Education: Using the Pull Method for Security Awareness Training

Speaker:  Lance Spitzner, Training Director, SANS Securing the Human Program

Date:  Friday, 20 March 

Time: 3:30 p.m. for registration and refreshments. Presentation commences 4:00 p.m.

Location: Level 15, 2 Market Street, Sydney

Sponsor: Macquarie Telecom (www.macquarietelecom.com)

RSVP: anz@sans.org by Wednesday, 18 March

Traditional security awareness training has used a push method, from pushing out CBT training to mandatory workshops. Organizations are now trying a different approach, the pull method. This is when employees are encouraged to actively seek out training on their own. Learn how organizations are effectively building and promoting pull training and the successes they are seeing.