Remote Code Execution Vulnerability Found in Windows HTTP

Remote Code Execution Vulnerability Found in Windows HTTP

EXP:CVE-2015-1635


HTTP.sys (IIS) DoS and Possible Remote Code Execution (MS15-034, CVE-2015-1635)

Microsoft has disclosed a remote code execution vulnerability in the Windows HTTP protocol stack. CVE-2015-1635 is an overflow vulnerability in HTTP.sys affecting all actively supported OS versions. A successful exploit attempt allows remote attackers to execute arbitrary code or trigger an unrecoverable error via crafted HTTP requests causing a denial of service.

Additional information can be found at:

https://technet.microsoft.com/en-us/library/security/ms15-034.aspx

https://isc.sans.edu/forums/diary/MS15034+HTTPsys+IIS+DoS+And+Possible

Recommendations

  • We recommend patching all IIS servers immediately

Systems Affected

  • Microsoft Windows 7 SP1
  • Windows Server 2008 R2 SP1
  • Windows 8
  • Windows 8.1
  • Windows Server 2012 Gold and R2

Vulnerable Versions

All actively supported Microsoft OS versions

Patches

Due to the high volume of proof-of-concept exploits published over the past couple of days we strongly advise patching any vulnerable systems as soon as possible. https://support.microsoft.com/en-us/kb/3042553

Alert Detection

The Masergy Threat Intelligence Team has deployed the following alerts to detect the exploitation of this vulnerability.

EXP:CVE-2015-1635

Possible inbound IIS integer overflow exploit attempt. CVE-2015-1635 is an overflow vulnerability in HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code or cause a denial of service via crafted HTTP requests.