Sysadmins, patch now: HTTP ‘ping of death’ are spewing across web to kill Windows servers
The SANS Institute has warned Windows IIS web server admins to get patching as miscreants are now exploiting a flaw in the software to crash websites.
The security bug (CVE-2015-1635) allows attackers to knock web servers offline by sending a simple HTTP request. Microsoft fixed this denial-of-service vulnerability on Tuesday with a patch numbered MS15-034.
However, within hours of the update going live, people reverse engineered the new span to find out where the hole is and how to exploit it, and have started sending out the pings of death.
Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 systems running Microsoft’s IIS web server are affected. The component at fault is HTTP.sys, a kernel-level driver that forwards requests for webpages and the like to the user-space server software, and caches static files.
The problem stems from HTTP.sys not safely handling the Range header in a HTTP request; this mechanism is used to fetch part of a file from a server, which is sometimes handy for resuming downloads. If you set the range way too large, it causes the Windows kernel to crash.
So far, miscreants have developed two exploits: one to test if a server is vulnerable, and one that crashes it. Microsoft has warned the security bug can be used to execute span remotely on the server, but so far, no one seems to have been able to do that.
“Due to the ease with which this vulnerability can be exploited, we recommend that you expedite patching this vulnerability,” SANS notes in an advisory.
“We are seeing active exploits hitting our honeypots from 188.8.131.52. These scans use the denial-of-service version, not the ‘detection’ version of the exploit. The scans appear to be ‘internet wide’.”
To test if you are vulnerable, run the following span against your server to fetch a static file. If you get an error saying “Requested header range not satisfiable” you may be vulnerable; patched servers should reply: “The request has an invalid header name.”
curl -v [ipaddress]/static.png -H “Host: test” -H “Range: bytes=0-18446744073709551615”
Change 0- to 20- to blue-screen-of-death a vulnerable box.
“There also appears to be an information disclosure vulnerability,” adds Johannes Ullrich, CTO of the SANS Internet Storm Center.
“If the lower end of the range is one byte less then the size of the retrieved file, kernel memory is appended to the output before the system reboots. In my own testing, I was not able to achieve consistent information leakage. Most of the time, the server just crashes.”