Wormable RCE – Windows PoC Exploit Released!

Share This Post

A researcher has released a proof-of-concept (PoC) exploit for CVE-2021-31166, a use-after-free, highly critical vulnerability in the HTTP protocol stack (http.sys) that could lead to wormable remote code execution (RCE).

The exploit open sCVE-2021-31166, a bug with a CVSS score of 9.8 that was the worst in Microsoft’s Patch Tues. release last week.

Severe Bug

Microsoft discovered the flaw internally, releasing a patch in its May 11 Patch Tues. update. This was the most severe bug in that batch: an http.sys issue that requires neither user authentication nor user interaction to exploit. An exploit would allow RCE with kernel privileges or a denial-of-service (DoS) attack.

According to a tweet from Microsoft’s Justin Campbell, the vulnerability was found by @_mxms & @fzzyhd1.

Fortunately, this http.sys bug was an internal find by our team. This one thanks to @_mxms@fzzyhd1 and everyone who contributes to our tooling & automation. https://t.co/0ru9BQMaJ9

— Justin Campbell (@metr0) May 13, 2021

http.sys enables Windows & applications to communicate with other devices; it can be run standalone or in conjunction with Internet Information Services (IIS).

Priority Patching

“In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilising the HTTP Protocol Stack (http.sys) to process packets,” Microsoft explained in its advisory. Given that the vulnerability is wormable, Microsoft recommends prioritising the patching of affected servers.

“With a CVSS score of 9.8, the vulnerability announced has the potential to be both directly impactful & is also exceptionally simple to exploit, leading to a remote & unauthenticated denial-of-service (Blue Screen of Death) for affected products,” McAfee’s Steve Povolny observed in an analysis of the flaw at the time.

Improperly Tracks Pointers

Povolny explained that the problem lies in how Windows improperly tracks pointers while processing objects in network packets containing HTTP requests. The vulnerability only affects the latest versions of Windows 10 & Windows Server, meaning that the exposure for internet-facing enterprise servers is “fairly limited,” he stated.

That is because many of these systems run Long Term Servicing Channel (LTSC) versions, such as Windows Server 2016 & 2019, which are not susceptible to this flaw.

Wormable Security Bug

Researcher Axel Souchet, who used to work for Microsoft, published the PoC to GitHub, noting that the bug happens in http!UlpParseContentCoding, where the function has a local LIST_ENTRY & appends an item to it. “When it’s done, it moves it into the Request structure; but it doesn’t NULL out the local list,” he explained.

“The issue with that is that an attacker can trigger a code path that frees every entry of the local list, leaving them dangling in the Request object.”

IIS Server

This is not the 1st PoC exploit for CVE-2021-31166 that Souchet has released, but this is the 1st wormable one. Over the weekend, he released a PoC that only locked the impacted Windows system as long as it is running an IIS server.

That initial exploit shows how an attacker can leverage the flaw to cause DoS on a targeted system by sending it specially crafted packets.

I have built a PoC for CVE-2021-31166 the “HTTP Protocol Stack Remote Code Execution Vulnerability”: https://t.co/8mqLCByvCp 🔥🔥 pic.twitter.com/yzgUs2CQO5

— Axel Souchet (@0vercl0k) May 16, 2021

Exploit Lifecycle

The publishing of a PoC code like this is typically the 1st step in the lifecycle of an exploit. As explained by Trend Micro’s Mayra Rosario Fuentes at the RSA Conference 2021 on Mon., the next step in that lifecycle is for crooks to sell it.

After it is in the wild, a vulnerability moves into the stage of public disclosure. Next, the vendor patches the vulnerability. Finally, that vulnerability goes down 2 paths: If it is patched, that is it, & of life. If not, the exploit’s still there, waiting to be purchased on underground forums & set free on whichever unlucky victims have not yet patched.

Mukashi

One example is the 8-month lifecycle of CVE-2020-9054: an exploit sold on the XSS cyber-criminal forum for $20k in Feb. 2020 that got written up by cyber-security journalist Brian Krebs, was publicly disclosed & patched by Microsoft in Mar. 2020 & ended up being exploited by a botnet a month later.

That botnet, a variant of the Mirai botnet named Mukashi that targeted Zyxel network-attached storage (NAS) devices, allowed threat players to remotely compromise & control devices.

Long Shelf Life

5 months after it was patched, in Aug. 2020, another forum post requested an exploit, offering a bargain basement payment of $2,000. It is a 10th of the original exploit, but a solid indication that some vulnerabilities have a long shelf life – most particularly if they are used to crack open Microsoft products.

Microsoft exploits, after all, are by far the most-requested & the most-sold exploit flavours on the underground market: All the more reason to listen to Microsoft’s advice to prioritise patching.

Virtual Conference June 2021

 

More To Explore

Community Area

Books

Home Workouts

Recipe

spaghetti Bolognese
Days
Hours
Minutes
Seconds