Security Research
Showing results for 
Search instead for 
Do you mean 

Analyzing CVE-2015-1635 from cause to cure

SasiSiddharth ‎04-22-2015 08:14 AM - edited ‎04-24-2015 10:56 AM

The MS15-034 patch recently issued by Microsoft fixes a critical vulnerability in several Windows operating systems. It is highly recommended that all servers running the vulnerable versions of Windows be updated immediately.

 

The vulnerability is caused by a bug in the HTTP.sys driver. This library may be used by various software components, but the most prominent one is the IIS web server. According to Microsoft’s Introduction to IIS Architectures, “HTTP.sys listens for HTTP requests from the network, passes the requests onto IIS for processing, and then returns processed responses to client browsers.” One of the benefits of using this library is kernel-mode caching. This feature seems to be the culprit of the issue, since Microsoft suggests disabling kernel-mode caching as a workaround to fixing the vulnerability, but at the cost of losing performance.

 

The reported bug results in an integer overflow when a huge value is specified in the Range header of an HTTP request. The Range header may be used by a client to specify a byte range that should be retrieved from the given server resource. In this case, the vulnerability occurs when the byte range refers to a value beyond the range of a 64-bit integer, thus causing an integer overflow. This vulnerability is assigned an ID of CVE-2015-1635 in the Common Vulnerabilities and Exposures system.

 

The vulnerability may be exploited in two ways. When the byte range starts at a number greater than 0, the request can crash the Windows operating system, successfully causing a denial of service. According to Microsoft, it is also possible to execute arbitrary remote code with administrator privileges, since the execution is in the web server’s context.

 

In order to test for this vulnerability, construct a simple GET request to the home page of your IIS server and add a Range header with the value “bytes=0-18446744073709551615”. A vulnerable server will return an HTTP status code 416 – Requested Range Not Satisfiable.

 

Figure 1 The vulnerable server returns a 416 error

 

On the other hand, below is a sample request and response from a patched server.

 

Figure 2 The patched server returns a 400 (Bad Request) error

 

Note that since this issue exists in IIS’s caching mechanism, the vulnerability will not manifest itself when requesting a non-cacheable resource. Based on our tests, the attack will only succeed on cacheable static file types such as .html, .htm, .jpeg, etc., or when requesting dynamic files that have the Output Caching feature enabled in kernel-mode.

 

Another interesting behavior noted was that it is not possible to mask the existence of the vulnerability by configuring a default or custom error page. A vulnerable server returns the default 416 error page even when a custom redirect is configured. While it may be possible to configure an intermediate proxy server to modify the request or response, the recommended way to fix the vulnerability is by updating the server with the latest patches from Microsoft.

 

If interested, a more detailed analysis of the vulnerability has been written up by many others online. Here are the links to a couple of good ones by BeyondTrust and SecuritySift.

 

The HP Security Research team has released a check in WebInspect that can detect this issue.

 

0 Kudos
About the Author

SasiSiddharth

Comments
Bart12366
on ‎04-22-2015 11:57 AM

dynamic file such as .aspx. The attack will only succeed on cacheable static file types such as .html, .htm, .jpeg, etc."

 

is this a true statement? Can you provide a link where it says that dynamic content CANNOT be cached in kernel caching.

 

This seems to indicate that it's possible to cache dynamic content in kernel  caching, albeit with some limitations: http://aspalliance.com/1533_ASPNET_Performance_Tips.7

 

Did this change in newer IIS versions?

SasiSiddharth
on ‎04-24-2015 10:58 AM

Thank you Bart12366 for pointing out this feature. Yes, IIS does allow kernel caching of dynamic files, but only if the files satisfy certain conditions. I have edited the post to reflect this piece of information. I appreciate your contribution and thank you for being an active reader of our blog.

Labels
Events
June 6 - 8, 2017
Las Vegas, Nevada
Discover 2017 Las Vegas
Join us for HPE Discover 2017 in Las Vegas. The event will be held at the Venetian | Palazzo from June 6-8, 2017.
Read more
Each Month in 2017
Online
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all