Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork15
Proof of concept of CVE-2022-21907 Double Free in http.sys driver, triggering a kernel crash on IIS servers
NotificationsYou must be signed in to change notification settings
p0dalirius/CVE-2022-21907-http.sys
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
CVE-2022-21907 - Double Free in http.sys driver
An unauthenticated attacker can send an HTTP request with an "Accept-Encoding" HTTP request header triggering a double free in the unknown coding-list inside the HTTP Protocol Stack (http.sys) to process packets, resulting in a kernel crash.
- Windows Server 2019 and Windows 10 version 1809:
- ❌ Not vulnerable by default. Unless you have set the HTTP Trailer Support to
EnableTrailerSupportinHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\, the systems are not vulnerable.
- ❌ Not vulnerable by default. Unless you have set the HTTP Trailer Support to
- Windows 10 version 2004 (build
19041.450):- ✔️ Vulnerable
You can find thehttp.sys driver of Windows 10 version 2004 (build19041.450) here:
| Patch status | Driver |
|---|---|
| Before patch | ./ressources/drivers_before_update/C/Windows/System32/drivers/http.sys |
| After patch | ./ressources/drivers_after_update/C/Windows/System32/drivers/http.sys |
poc_cve-2022-01-18_12.35.35.mp4
$ ./CVE-2022-21907_http.sys_crash.py -husage: CVE-2022-21907_http.sys_crash.py [-h] -t TARGET [-v]Description messageoptional arguments: -h, --help show this help message and exit -t TARGET, --target TARGET Target IIS Server. -v, --verbose Verbose mode. (default: False)Call graph:
STACK_TEXT:ffffca0d`46cdf158 fffff800`4a1efe29 : 00000000`00000139 00000000`00000003 ffffca0d`46cdf480 ffffca0d`46cdf3d8 : nt!KeBugCheckExffffca0d`46cdf160 fffff800`4a1f0250 : 00000000`00001000 ffffca0d`46cdf4a0 fffff800`4aa4ef00 00000000`00000000 : nt!KiBugCheckDispatch+0x69ffffca0d`46cdf2a0 fffff800`4a1ee5e3 : 00000000`00000000 00000000`00000002 00000000`c0000225 01b00030`4a1ec14c : nt!KiFastFailDispatch+0xd0ffffca0d`46cdf480 fffff800`4707f537 : 00000000`00000010 00000000`00010202 ffffca0d`46cdf638 00000000`00000018 : nt!KiRaiseSecurityCheckFailure+0x323ffffca0d`46cdf610 fffff800`47036ac5 : ffff930c`202efef9 ffffca0d`00000001 ffffca0d`46cdf694 00000000`00000000 : HTTP!UlFreeUnknownCodingList+0x63ffffca0d`46cdf640 fffff800`4700d191 : ffff70ca`b45420d8 ffffca0d`46cdf819 00000000`00000010 fffff800`4700d140 : HTTP!UlpParseAcceptEncoding+0x298f5ffffca0d`46cdf730 fffff800`46fe9368 : fffff800`46fb46e0 ffffca0d`46cdf819 ffff930c`210ca050 00000000`00000000 : HTTP!UlAcceptEncodingHeaderHandler+0x51ffffca0d`46cdf780 fffff800`46fe8a47 : ffffca0d`46cdf8e8 00000000`00000004 00000000`00000000 00000000`00000010 : HTTP!UlParseHeader+0x218ffffca0d`46cdf880 fffff800`46f44c5f : ffff930c`19c16228 ffff930c`19c16010 ffffca0d`46cdfa79 00000000`00000000 : HTTP!UlParseHttp+0xac7ffffca0d`46cdf9e0 fffff800`46f4490a : fffff800`46f44760 ffff930c`202efcf0 00000000`00000000 00000000`00000001 : HTTP!UlpParseNextRequest+0x1ffffffca0d`46cdfae0 fffff800`46fe4852 : fffff800`46f44760 fffff800`46f44760 00000000`00000001 00000000`00000000 : HTTP!UlpHandleRequest+0x1aaffffca0d`46cdfb80 fffff800`4a146745 : ffff930c`19c16090 fffff800`46fb5f80 00000000`00000284 00000000`00000000 : HTTP!UlpThreadPoolWorker+0x112ffffca0d`46cdfc10 fffff800`4a1e5598 : ffffa580`1afc0180 ffff930c`1eec0040 fffff800`4a1466f0 00000000`00000246 : nt!PspSystemThreadStartup+0x55ffffca0d`46cdfc60 00000000`00000000 : ffffca0d`46ce0000 ffffca0d`46cda000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28Function call graph:
───> nt!KiStartSystemThread+0x28 │ ├──> nt!PspSystemThreadStartup+0x55 │ │ ├──> HTTP!UlpThreadPoolWorker+0x112 │ │ │ ├──> HTTP!UlpHandleRequest+0x1aa │ │ │ │ ├──> HTTP!UlpParseNextRequest+0x1ff │ │ │ │ │ ├──> HTTP!UlParseHttp+0xac7 │ │ │ │ │ │ ├──> HTTP!UlParseHeader+0x218 │ │ │ │ │ │ │ ├──> HTTP!UlAcceptEncodingHeaderHandler+0x51 │ │ │ │ │ │ │ │ ├──> HTTP!UlpParseAcceptEncoding+0x298f5 │ │ │ │ │ │ │ │ │ ├──> HTTP!UlFreeUnknownCodingList+0x63 │ │ │ │ │ │ │ │ │ │ ├──> nt!KiRaiseSecurityCheckFailure+0x323 │ │ │ │ │ │ │ │ │ │ │ ├──> nt!KiFastFailDispatch+0xd0 │ │ │ │ │ │ │ │ │ │ │ │ ├──> nt!KiBugCheckDispatch+0x69 │ │ │ │ │ │ │ │ │ │ │ │ │ └──> nt!KeBugCheckEx- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21907
- http://msdl.microsoft.com/download/symbols/http.pdb/3D8ADB52C1BF2F56F4EFE17AD29AC5B41/http.pdb
- https://www.zerodayinitiative.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execution-bug-in-httpsys
About
Proof of concept of CVE-2022-21907 Double Free in http.sys driver, triggering a kernel crash on IIS servers
Topics
Resources
Uh oh!
There was an error while loading.Please reload this page.
Stars
Watchers
Forks
Sponsor this project
Uh oh!
There was an error while loading.Please reload this page.
