点击上方蓝字“Ots安全”一起玩耍
概括
未经身份验证的攻击者可以发送带有“ Accept-Encoding” HTTP 请求标头的 HTTP 请求,触发 HTTP 协议栈 ( ) 内的未知编码列表中的双重释放http.sys来处理数据包,从而导致内核崩溃。
易受攻击的系统
-
Windows Server 2019 和 Windows 10 版本 1809:
❌默认情况下不易受攻击。除非您将 HTTP Trailer Support 设置为EnableTrailerSupportin HKEY_LOCAL_MACHINESystemCurrentControlSetServicesHTTPParameters,否则系统不会受到攻击。
-
Windows 10 版本 2004(内部版本19041.450):
✔️易受伤害的
您可以在此处找到http.sysWindows 10 版本 2004 (build 19041.450) 的驱动程序:
补丁前
./ressources/drivers_before_update/C/Windows/System32/drivers/http.sys补丁后
./ressources/drivers_after_update/C/Windows/System32/drivers/http.sys示范
用法
$ ./CVE-2022-21907_http.sys_crash.py -husage: CVE-2022-21907_http.sys_crash.py [-h] -t TARGET [-v]Description messageoptional arguments:-h, --help show this help message and exit-t TARGET, --target TARGETTarget IIS Server.-v, --verbose Verbose mode. (default: False)
崩溃时的调用图
调用图:
STACK_TEXT:ffffca0d`46cdf158 fffff800`4a1efe29 : 00000000`00000139 00000000`00000003 ffffca0d`46cdf480 ffffca0d`46cdf3d8 : nt!KeBugCheckExffffca0d`46cdf160 fffff800`4a1f0250 : 00000000`00001000 ffffca0d`46cdf4a0 fffff800`4aa4ef00 00000000`00000000 : nt!KiBugCheckDispatch+0x69ffffca0d`46cdf2a0 fffff800`4a1ee5e3 : 00000000`00000000 00000000`00000002 00000000`c0000225 01b00030`4a1ec14c : nt!KiFastFailDispatch+0xd0ffffca0d`46cdf480 fffff800`4707f537 : 00000000`00000010 00000000`00010202 ffffca0d`46cdf638 00000000`00000018 : nt!KiRaiseSecurityCheckFailure+0x323ffffca0d`46cdf610 fffff800`47036ac5 : ffff930c`202efef9 ffffca0d`00000001 ffffca0d`46cdf694 00000000`00000000 : HTTP!UlFreeUnknownCodingList+0x63ffffca0d`46cdf640 fffff800`4700d191 : ffff70ca`b45420d8 ffffca0d`46cdf819 00000000`00000010 fffff800`4700d140 : HTTP!UlpParseAcceptEncoding+0x298f5ffffca0d`46cdf730 fffff800`46fe9368 : fffff800`46fb46e0 ffffca0d`46cdf819 ffff930c`210ca050 00000000`00000000 : HTTP!UlAcceptEncodingHeaderHandler+0x51ffffca0d`46cdf780 fffff800`46fe8a47 : ffffca0d`46cdf8e8 00000000`00000004 00000000`00000000 00000000`00000010 : HTTP!UlParseHeader+0x218ffffca0d`46cdf880 fffff800`46f44c5f : ffff930c`19c16228 ffff930c`19c16010 ffffca0d`46cdfa79 00000000`00000000 : HTTP!UlParseHttp+0xac7ffffca0d`46cdf9e0 fffff800`46f4490a : fffff800`46f44760 ffff930c`202efcf0 00000000`00000000 00000000`00000001 : HTTP!UlpParseNextRequest+0x1ffffffca0d`46cdfae0 fffff800`46fe4852 : fffff800`46f44760 fffff800`46f44760 00000000`00000001 00000000`00000000 : HTTP!UlpHandleRequest+0x1aaffffca0d`46cdfb80 fffff800`4a146745 : ffff930c`19c16090 fffff800`46fb5f80 00000000`00000284 00000000`00000000 : HTTP!UlpThreadPoolWorker+0x112ffffca0d`46cdfc10 fffff800`4a1e5598 : ffffa580`1afc0180 ffff930c`1eec0040 fffff800`4a1466f0 00000000`00000246 : nt!PspSystemThreadStartup+0x55ffffca0d`46cdfc60 00000000`00000000 : ffffca0d`46ce0000 ffffca0d`46cda000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28
函数调用图:
───> nt!KiStartSystemThread+0x28│ ├──> nt!PspSystemThreadStartup+0x55│ │ ├──> HTTP!UlpThreadPoolWorker+0x112│ │ │ ├──> HTTP!UlpHandleRequest+0x1aa│ │ │ │ ├──> HTTP!UlpParseNextRequest+0x1ff│ │ │ │ │ ├──> HTTP!UlParseHttp+0xac7│ │ │ │ │ │ ├──> HTTP!UlParseHeader+0x218│ │ │ │ │ │ │ ├──> HTTP!UlAcceptEncodingHeaderHandler+0x51│ │ │ │ │ │ │ │ ├──> HTTP!UlpParseAcceptEncoding+0x298f5│ │ │ │ │ │ │ │ │ ├──> HTTP!UlFreeUnknownCodingList+0x63│ │ │ │ │ │ │ │ │ │ ├──> nt!KiRaiseSecurityCheckFailure+0x323│ │ │ │ │ │ │ │ │ │ │ ├──> nt!KiFastFailDispatch+0xd0│ │ │ │ │ │ │ │ │ │ │ │ ├──> nt!KiBugCheckDispatch+0x69│ │ │ │ │ │ │ │ │ │ │ │ │ └──> nt!KeBugCheckEx
参考
-
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907
-
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21907
-
http://msdl.microsoft.com/download/symbols/http.pdb/3D8ADB52C1BF2F56F4EFE17AD29AC5B41/http.pdb
-
https://www.zerodayinitiative.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execution-bug-in-httpsys
原文始发于微信公众号(Ots安全):http.sys 驱动程序中 CVE-2022-21907 Double Free 的概念证明,在 IIS 服务器上触发内核崩溃
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论