github.com-0vercl0k-CVE-2021-31166_-_2021-05-20_04-58-29
Item Preview
Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.
CVE-2021-31166: HTTP Protocol Stack Remote Code Execution Vulnerability
This is a proof of concept for CVE-2021-31166 ("HTTP Protocol Stack Remote Code Execution Vulnerability"), a use-after-free dereference in http.sys patched by Microsoft in May 2021. According to this tweet the vulnerability has been found by @_mxms and @fzzyhd1.
The bug itself happens in http!UlpParseContentCoding where the function has a local LIST_ENTRY and appends item to it. When it's done, it moves it into the Request structure; but it doesn't NULL out the local list. The issue with that is that an attacker can trigger a code-path that frees every entries of the local list leaving them dangling in the Request object.
Here is the bugcheck:
```KDTARGET: Refreshing KD connection
* Fatal System Error: 0x00000139 (0x0000000000000003,0xFFFFF90EA867EE40,0xFFFFF90EA867ED98,0x0000000000000000)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
nt!DbgBreakPointWithStatus:fffff804`19410c50 cc int 3
kd> kp # Child-SP RetAddr Call Site00 fffff90ea867e368 fffff80419525382 nt!DbgBreakPointWithStatus01 fffff90ea867e370 fffff80419524966 nt!KiBugCheckDebugBreak+0x1202 fffff90ea867e3d0 fffff80419408eb7 nt!KeBugCheck2+0x94603 fffff90ea867eae0 fffff8041941ad69 nt!KeBugCheckEx+0x10704 fffff90ea867eb20 fffff8041941b190 nt!KiBugCheckDispatch+0x6905 fffff90ea867ec60 fffff80419419523 nt!KiFastFailDispatch+0xd006 fffff90ea867ee40 fffff8041db3f677 nt!KiRaiseSecurityCheckFailure+0x32307 fffff90ea867efd0 fffff8041daf6c05 HTTP!UlFreeUnknownCodingList+0x6308 fffff90ea867f000 fffff8041dacd201 HTTP!UlpParseAcceptEncoding+0x299c509 fffff90ea867f0f0 fffff8041daa93d8 HTTP!UlAcceptEncodingHeaderHandler+0x510a fffff90ea867f140 fffff8041daa8ab7 HTTP!UlParseHeader+0x2180b fffff90ea867f240 fffff8041da04c5f HTTP!UlParseHttp+0xac70c fffff90ea867f3a0 fffff8041da0490a HTTP!UlpParseNextRequest+0x1ff0d fffff90ea867f4a0 fffff8041daa48c2 HTTP!UlpHandleRequest+0x1aa0e fffff90ea867f540 fffff8041932ae85 HTTP!UlpThreadPoolWorker+0x1120f fffff90ea867f5d0 fffff80419410408 nt!PspSystemThreadStartup+0x5510 fffff90ea867f620 0000000000000000 nt!KiStartSystemThread+0x28
kd> !analyze -v[...]
- *
- Bugcheck Analysis *
- *
KERNELSECURITYCHECKFAILURE (139)A kernel component has corrupted a critical data structure. The corruptioncould potentially allow a malicious user to gain control of this machine.Arguments:Arg1: 0000000000000003, A LISTENTRY has been corrupted (i.e. double remove).Arg2: fffff90ea867ee40, Address of the trap frame for the exception that caused the BugCheckArg3: fffff90ea867ed98, Address of the exception record for the exception that caused the BugCheckArg4: 0000000000000000, Reserved```
Frequently Asked Questions
Q: Is Windows Remote Management (WinRM) affected?
Yes (thanks to @JimDinMN for sharing his experiments).
Q: Is Web Services on Devices (WSDAPI) affected?
Yes (thanks to @HenkPoley for sharing his results).
To restore the repository download the bundle
wget https://archive.org/download/github.com-0vercl0k-CVE-2021-31166_-_2021-05-20_04-58-29/0vercl0k-CVE-2021-31166_-_2021-05-20_04-58-29.bundle git clone 0vercl0k-CVE-2021-31166_-_2021-05-20_04-58-29.bundle Source: https://github.com/0vercl0k/CVE-2021-31166
Uploader: 0vercl0k
Upload date: 2021-05-20
- Originalurl
-
https://github.com/0vercl0k/CVE-2021-31166
