• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Critical Microsoft IIS Vulnerability Leads to RCE (MS15-034)

April 16, 2015Rafael Capovilla

58
SHARES
FacebookTwitterSubscribe

Microsoft just disclosed a serious vulnerability (MS15-034) on their Web Server IIS that allows for remote and unauthenticated Denial of Service (DoS) and/or Remote Code Execution (RCE) on unpatched Windows servers. An attacker only needs to send a specially crafted HTTP request with the right header to exploit it. That’s how serious it is.

RCE is used to describe an attacker’s ability to execute any command on a target machine from a remote location, bypassing all security mechanisms.

This security update is rated critical for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. You can read more details about the versions affected in the Microsoft Security Bulletin.

What’s Happening in the Wild

A simple POC has been released so you can expect public exploits to be released very soon. The attack is based off a change in HTTP!UlpParseRange in which an error code is returned as a result of a call to HTTP!RtlULongLongAdd when evaluating the upper and lower range of an HTTP range request.

8a8b2112 56              push    esi
8a8b2113 6a00            push    0
8a8b2115 2bc7            sub     eax,edi
8a8b2117 6a01            push    1
8a8b2119 1bca            sbb     ecx,edx
8a8b211b 51              push    ecx
8a8b211c 50              push    eax
8a8b211d e8bf69fbff      call    HTTP!RtlULongLongAdd (8a868ae1) ; here

This is the code that has been released:

MS15-034

This code is using the Range header to trigger a buffer overflow and detect if the system is vulnerable or not. The attack is very similar to the “Apache Killer” that happened a few years ago.

The Range-Header is used to request only part of an object. It is commonly used by download managers to resume downloads.

Identifying a vulnerable system

You can easily verify if your server is vulnerable using the following curl command:

curl -v SERVER_IP -H "Host: anything" -H "Range: bytes=0-18446744073709551615"

If you get something like this:

MS15-034 check

That means your server is not patched.

Fixing the Problem

All sites behind CloudProxy (our Website Firewall and Intrusion Prevention System for Websites) are already protected against this vulnerability. If you are not a customer you should apply the Microsoft patches ASAP.

58
SHARES
FacebookTwitterSubscribe

Categories: Security Education, Website Malware Infections, Website SecurityTags: Server Security

About Rafael Capovilla

Rafael is the Website Firewall Director at Sucuri. You will usually find him digging into logs and working with his team to provide the best protection and easy to use WAF for your website. When off duty he is probably on a bbq pit. You can follow him on Twitter @rmcapovilla

Reader Interactions

Comments

  1. Kevin Beaumont

    April 16, 2015

    The “exploit” mentioned is just a DoS method. There’s no RCE exploit for this, and it’s likely there won’t be as exploiting a single integer value is not easy.

  2. noname

    April 17, 2015

    Imagine this Kevin: You ask IIS to provide you with the data from file X, you ask to resume your download of file X starting from byte number -1024 .. IIS then loads file X into the memory, it then goes to location ptr.X[-1024] and tries to load that location from the memory in order to serve it to the user … oops.

  3. friv3gamess

    May 16, 2015

    I will send it to some of my friends. And of course, thank you for your efforts in this article!

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2019 Sucuri Inc. All rights reserved

We use tools, such as cookies, to enable essential services and functionality on our site and to collect data on how visitors interact with our site, products and services. By clicking Continue, you agree to our use of these tools for advertising, analytics and support.Continue Read More
Privacy & Cookies Policy

Necessary Always Enabled