Active DoS Exploits for MS15-034 Under Way

Public denial-of-service exploits for a critical vulnerability in Microsoft’s implementation of the HTTP protocol stack, HTTP.sys are under way, while remote code execution attacks may still be to come.

UPDATE – Microsoft’s characterization of MS15-034 as a remote code execution vulnerability certainly has a lot of Windows server admins on edge waiting for the other shoe to drop.

In the three days since the bulletin was released warning of a critical vulnerability in the HTTP protocol stack, HTTP.sys, security experts, including the SANS Institute, have warned of publicly available denial-of-service exploits targeting Microsoft IIS webservers. There’s also the possibility of information leakage via this issue that could pave the way for more serious attacks, but for now, a crashing and rebooting IIS server might be your only sign of trouble.

“So far we see active exploitation for the denial-of-service vulnerability. The information disclosure vulnerability has been demonstrated, but we have not seen it used against any of our honeypots yet, nor have we seen any reports of it being used in attacks,” Johannes Ullrich of the SANS Institute told Threatpost.

Ullrich was quick to point out too that there are Internet-wide scans happening now, that are not just looking for vulnerable servers, but also trying to crash them.

“It’s extremely easy to exploit,” Ullrich said during an emergency webcast last night. “That’s the problem with this vulnerability, it’s so easy.”

Microsoft, meanwhile, said customers should prioritize this bulletin and patch as soon as possible.

“Update MS15-034 was classified as a remote code execution bulletin because, while that type of exploit is harder to carry out it is theoretically possible,” said a Microsoft spokesperson.

The SANS Internet Storm Center yesterday raised its alert level, and said active exploits were hitting its honeypots from 78[.]186[.]123[.]180. Some reported to the ISC attacks they believed were more targeted against specific webservers.

“If you have been the subject of a denial-of-service attack in the past, this is a much better and easier way to achieve the same thing than doing NTP reflection or whatever against your server,” Ullrich said. “This is the main exposure right now.”

While IIS, or Internet Information Services servers, are the principal attack vector right now, this isn’t necessarily solely an IIS problem. Lots of services make use of HTTP.sys.

“It’s really not an IIS vulnerability, but it is exposed via IIS,” Ullrich said. “The HTTP.sys vulnerability: Every Windows system has it whether it’s running IIS or not. It’s a system library that implements the parsing of http requests and implements caching content in kernel memory.”

One of Microsoft’s workarounds, for example, was to disable IIS kernel caching, but there is a gotcha.

“Turning off kernel caching will prevent the exploit. The system is only vulnerable if kernel caching is turned on,” Ullrich said. “However, it will cause a significant loss in performance, so this may then turn into a denial of service for a busy site as it can no longer fulfill all requests.”

The crux of the vulnerability lies in the range header, which extracts portions of webpages from kernel memory and passes them to the client. A specifically crafted range header will trigger the denial-of-service vulnerability so long as certain conditions are met within the range. This has the potential to be quite disruptive, despite the vast majority of webservers being Linux boxes (70 million Windows servers could be affected according to Netcraft).

The information disclosure weakness is concerning as well because there are ways to get a kernel memory dump back in a response from HTTP.sys. This will evoke memories of Heartbleed, which also led to memory leakage and inevitably a slew of exploits with varying results. Ullrich said that memory disclosure in this case, however, is trickier to retrieve than with Heartbleed, but it could be used to inch closer to remote code execution.

“Currently, there is no known exploit that would cause remote code execution. Likely, an attacker would first have to use the information disclosure vulnerability to learn more about the internal memory layout to then follow up with a remote code execution exploit,” he said. “But since the information disclosure attack will also cause a reboot, this information may not be all that valuable.”

This article was updated at 1 p.m. ET with a comment from Microsoft.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.