CVE-2022-21907 - Windows HTTP协议栈远程代码执行漏洞 CVE-2022-21907

Related tags

Security related resourcesCVE-2022-21907
Overview

CVE-2022-21907

Description

  • POC for CVE-2022-21907: Windows HTTP协议栈远程代码执行漏洞
  • create by antx at 2022-01-17.

Detail

  • HTTP Protocol Stack Remote Code Execution Vulnerability.
  • Similar to CVE-2021-31166.
  • This problem exists, from last year which is reported on CVE-2021-31166, and still there.

CVE Severity

  • attackComplexity: LOW
  • attackVector: NETWORK
  • availabilityImpact: HIGH
  • confidentialityImpact: HIGH
  • integrityImpact: HIGH
  • privilegesRequired: NONE
  • scope: UNCHANGED
  • userInteraction: NONE
  • version: 3.1
  • baseScore: 9.8
  • baseSeverity: CRITICAL

Affect

  • Windows
    • 10 Version 1809 for 32-bit Systems
    • 10 Version 1809 for x64-based Systems
    • 10 Version 1809 for ARM64-based Systems
    • 10 Version 21H1 for 32-bit Systems
    • 10 Version 21H1 for x64-based System
    • 10 Version 21H1 for ARM64-based Systems
    • 10 Version 20H2 for 32-bit Systems
    • 10 Version 20H2 for x64-based Systems
    • 10 Version 20H2 for ARM64-based Systems
    • 10 Version 21H2 for 32-bit Systems
    • 10 Version 21H2 for x64-based Systems
    • 10 Version 21H2 for ARM64-based Systems
    • 11 for x64-based Systems
    • 11 for ARM64-based Systems
  • Windows Server
    • 2019
    • 2019 (Core installation)
    • 2022
    • 2022 (Server Core installation)
    • version 20H2 (Server Core Installation)

POC

Mitigations

  • Windows Server 2019 and Windows 10 version 1809 are not vulnerable by default. Unless you have enabled the HTTP Trailer Support via EnableTrailerSupport registry value, the systems are not vulnerable.
  • Delete the DWORD registry value “EnableTrailerSupport” if present under: 
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
  • This mitigation only applies to Windows Server 2019 and Windows 10, version 1809 and does not apply to the Windows 20H2 and newer.

FAQ

  • How could an attacker exploit this vulnerability?
    • In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets.
  • Is this wormable?
    • Yes. Microsoft recommends prioritizing the patching of affected servers.
  • Windows 10, Version 1909 is not in the Security Updates table. Is it affected by this vulnerability?
    • No, the vulnerable code does not exist in Windows 10, version 1909. It is not affected by this vulnerability.
  • Is the EnableTrailerSupport registry key present in any other platform than Windows Server 2019 and Windows 10, version 1809?
    • No, the registry key is only present in Windows Server 2019 and Windows 10, version 1809

Reference

Owner
antx
RCT(Reading, Coding and Trading)
antx
GitHub Repository
Evil-stalker - A simple tool written in python, it is so simple that it is based on google dorks

evil-stalker How to run First of all, you must install the necessary libraries.

rock3d 6 Nov 16, 2022
CVE-2022-21907 Vulnerability PoC

CVE-2022-21907 Description POC for CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability. create by antx at 2022-01-17, just some sm

Michele 16 Dec 18, 2022
Tool for finding PHP source code vulnerabilities.

vulnz Tool for finding php source code vulnerabilities. Scans PHP source code and prints out potentially dangerous lines. This tool is useful for secu

Mateo Hanžek 1 Jan 14, 2022
ProxyLogon Pre-Auth SSRF To Arbitrary File Write

ProxyLogon Pre-Auth SSRF To Arbitrary File Write For Education and Research Usage: C:\python proxylogon.py mail.evil.corp lulz 117 Nov 28, 2022

Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service

Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service. This tool can help a digital forensic investigator to know the conte

hashlookup 96 Dec 20, 2022
Repo for The Crown: Exploratory Analysis of Nim Malware DEF CON 615 talk

Repo for "The Crown: Exploratory Analysis of Nim Malware" DEF CON 615 talk

HuskyHacks 43 Dec 03, 2022
This repo is about steps to create a effective custom wordlist in a few clicks/

Custom Wordlist This repo is about steps to take in order to create a effective custom wordlist in a few clicks. this comes handing in pentesting enga

2 Oct 08, 2022
KeyKatcher is a keylogger that records keystrokes made on a computer and sends to the E-Mail.

What is a keylogger? A keylogger is a software application or piece of hardware that monitors and records keystrokes made on a computer keyboard. The

Himank_Jain 7 Sep 19, 2022
Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.

sshuttle: where transparent proxy meets VPN meets ssh As far as I know, sshuttle is the only program that solves the following common case: Your clien

9.4k Jan 04, 2023
A repository to detect the ARP spoofing in any devices and prevent Man in the Middle(MITM) attack using Python3

arp_spoof_detector A repository to detect the ARP spoofing in any devices and prevent Man in the Middle(MITM) attack using Python3 Usage: git clone ht

Surya Das N 1 Oct 30, 2021
Python sandbox runners for executing code in isolation aka snekbox.

Python sandbox runners for executing code in isolation aka snekbox.

Python Discord 164 Dec 20, 2022
Log4j minecraft with python

log4jminecraft This code DOES NOT promote or encourage any illegal activities! The content in this document is provided solely for educational purpose

David Bombal 154 Dec 24, 2022
A collection of write-ups and solutions for Cyber FastTrack Spring 2021.

IMPORTANT: Please contact us before you use any styling or content shown here! Cyber FastTrack Spring 2021 / National Cyber Scholarship Competition -

Alice 48 Aug 28, 2022
The Modern Hash Identification System

🔗 Don't know what type of hash it is? Name That Hash will name that hash type! 🤖 Identify MD5, SHA256 and 3000+ other hashes ☄ Comes with a neat web app 🔥

1.2k Dec 28, 2022
👑 Discovery Header DoD Bug-Bounty

👑 Discovery Header DoD Bug-Bounty Did you know that DoD accepts server headers? 😲 (example: apache"version" , php"version") ? In this code it is pos

KingOfTips 38 Aug 09, 2022
This script allows you to make a onion host instantly.

Installation It only works in Debian based Linux distros. Clone the repo: git clone https://github.com/0xStevenson/Auto-Tor-Host.git Go to the direct

Steven 4 Feb 22, 2022
CamOver is a camera exploitation tool that allows to disclosure network camera admin password.

CamOver is a camera exploitation tool that allows to disclosure network camera admin password. Features Exploits vulnerabilities in most popul

EntySec 247 Jan 02, 2023
Fast and customizable vulnerability scanner For JIRA written in Python

Fast and customizable vulnerability scanner For JIRA. 🤔 What is this? Jira-Lens 🔍 is a Python Based vulnerability Scanner for JIRA. Jira is a propri

Mayank Pandey 185 Dec 25, 2022
Hadoop Yan RPC unauthorized RCE

Vuln Impact On November 15, 2021, A security researcher disclosed that there was an unauthorized access vulnerability in Hadoop yarn RPC. This vulnera

Al1ex 25 Nov 24, 2022
Cobalt Strike < 4.4 dos CVE-2021-36798

CVE-2021-36798 CVE-2021-36798 Cobalt Strike 4.3 dos 用法 python3 CVE-2021-36798.py BeaconURL 打瘫Cobalt Strike 只需要一个包 已测试 4.3 4.2 参考: https://labs.sent

37 Nov 09, 2022