• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Critical Microsoft IIS Vulnerability Leads to RCE (MS15-034)

April 16, 2015Rafael Capovilla

FacebookTwitterSubscribe

Microsoft just disclosed a serious vulnerability (MS15-034) on their Web Server IIS that allows for remote and unauthenticated Denial of Service (DoS) and/or Remote Code Execution (RCE) on unpatched Windows servers. An attacker only needs to send a specially crafted HTTP request with the right header to exploit it. That’s how serious it is.

RCE is used to describe an attacker’s ability to execute any command on a target machine from a remote location, bypassing all security mechanisms.

This security update is rated critical for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. You can read more details about the versions affected in the Microsoft Security Bulletin.

What’s Happening in the Wild

A simple POC has been released so you can expect public exploits to be released very soon. The attack is based off a change in HTTP!UlpParseRange in which an error code is returned as a result of a call to HTTP!RtlULongLongAdd when evaluating the upper and lower range of an HTTP range request.

8a8b2112 56              push    esi
8a8b2113 6a00            push    0
8a8b2115 2bc7            sub     eax,edi
8a8b2117 6a01            push    1
8a8b2119 1bca            sbb     ecx,edx
8a8b211b 51              push    ecx
8a8b211c 50              push    eax
8a8b211d e8bf69fbff      call    HTTP!RtlULongLongAdd (8a868ae1) ; here

This is the code that has been released:

MS15-034

This code is using the Range header to trigger a buffer overflow and detect if the system is vulnerable or not. The attack is very similar to the “Apache Killer” that happened a few years ago.

The Range-Header is used to request only part of an object. It is commonly used by download managers to resume downloads.

Identifying a vulnerable system

You can easily verify if your server is vulnerable using the following curl command:

curl -v SERVER_IP -H "Host: anything" -H "Range: bytes=0-18446744073709551615"

If you get something like this:

MS15-034 check

That means your server is not patched.

Fixing the Problem

All sites behind CloudProxy (our Website Firewall and Intrusion Prevention System for Websites) are already protected against this vulnerability. If you are not a customer you should apply the Microsoft patches ASAP.

FacebookTwitterSubscribe

Categories: Security Education, Website Malware Infections, Website SecurityTags: Server Security

About Rafael Capovilla

Rafael Capovilla is Sucuri’s Director of Software Development who joined the company in 2014. Rafael’s main responsibilities include keeping the infrastructure safe and running, and dealing with large DDoS attacks. His professional experience covers more than 15 years of system and network administration focused on security. You can follow him on Twitter @rmcapovilla

Reader Interactions

Comments

  1. Kevin Beaumont

    April 16, 2015

    The “exploit” mentioned is just a DoS method. There’s no RCE exploit for this, and it’s likely there won’t be as exploiting a single integer value is not easy.

  2. noname

    April 17, 2015

    Imagine this Kevin: You ask IIS to provide you with the data from file X, you ask to resume your download of file X starting from byte number -1024 .. IIS then loads file X into the memory, it then goes to location ptr.X[-1024] and tries to load that location from the memory in order to serve it to the user … oops.

  3. friv3gamess

    May 16, 2015

    I will send it to some of my friends. And of course, thank you for your efforts in this article!

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.