About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

A Wormable Code Execution Bug in HTTP.sys- 498

Kc Udonsi & Yazhi Wang - ZDIPosted 4 Years Ago
  • IIS for Windows server is a web server for hosting web content in both static and dynamic forms. This web server has a HTTP listener as part of the networking subsystem that is implemented in HTTP.sys. Finding a vulnerability in a web server allows millions of sites to be compromised in one go.
  • The Accept-Encoding headers dictates which content-coding can be sent back to the client such as gzip, * or deflate. This can be in the form of a list as well. An example with a list looks like Accept-Encoding: deflate, gzip;q=1.0, *;q=0.5.
  • While parsing the string above, there are three states: supported, unknown and invalid. “gzip” is a supported content-coding string, “aaaa” is an unknown content-coding string, and finally “bbbb;” is an invalid content-coding string because it is improperly formatted.
  • The maintaining of this bookkeeping is done using a circular doubly linked list for all unknown content-codings. The vulnerability exists in the handling of the doubly linked list.
  • Initially, a root node is created for handling the unknown content-codings. After sending this information off in the response, there is a routine that unlinks and frees the nodes from the linked list. It starts with the first non-root node and does a multitude of sanity checks.
  • Once all of the content-codings have been parsed, if the list contains any unknown types, then they are unlinked from the root node that resides in the functions stack memory and relinked to a root node structure.
  • Here is where the vulnerability occurs at: the next and previous links of the original root node are STILL connected to the migrated nodes. By crafting a special HTTP Accept-Encoding header with a comma (,) a path can be taken that will migrate some but not all of the nodes.
  • With the root node being incorrect on one of the locations, it can still be used to access the migrated nodes! This can be used to free these pointers, even though they are the wrong ones to be freed. This results in a use after free (UAF) that is exploitable by a remote attacker.
  • This is an interesting bug! Like lots of heap vulnerabilities, it is just bad bookkeeping of pointers. By simply having the wrong pointers in one place, it creates an exploitable scenario.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed