Blog: How Tos

MS15-034. What you need to know

Joe Bursell 16 Apr 2015

MS15-034

Amongst the other recent patch Tuesday updates Microsoft released MS15-034. It deals with a “Vulnerability in HTTP.sys Could Allow Remote Code Execution”.

HTTP.sys is a kernel-mode device driver that processes HTTP requests. Were it only present in Windows server versions the issue would be bad, but not quite as bad.

The thing with HTTP.sys is that it’s inside Windows 7 and 8 desktop versions too, making these vulnerable as well.

That’s quite a BIG DEAL.

The lowdown, in simple terms

The vulnerability isn’t restricted to IIS, it’s a Windows wide issue, affecting any software on any device that uses Windows’ HTTP stack. It can be used to enable a DoS attack, it allows remote code execution, and if that isn’t disturbing enough it can also be triggered from outside a network with a simple HTTP request.

We’ve not seen any hard factual proof of its exploitability as yet, but there is plenty of healthy speculation, comment, and PoC code. It’s worth remembering that PoC code like this usually comes from people reverse engineering the patch with patch and vulnerability checkers in the public domain. What we don’t know is what people may have discovered who are doing this privately.

Here’s some of what we’ve found:

This is some PoC python code:
http://pastebin.com/ypURDPc4
…and this is that code ported to C:
http://www.exploit-db.com/exploits/36773/

This is the PoC python code ported to Metasploit:
https://github.com/rapid7/metasploit-framework/pull/5150

This is the powershell PoC:
https://isc.sans.edu/diary/MS15-034%3A+HTTP.sys+%28IIS%29+DoS+And+Possible+Remote+Code+Execution.+PATCH+NOW/19583

Actionable attacks?

It’s still very early days, and as I mentioned previously we’ve seen nothing in the wild. While
this tweeter claims that triggering MS15-034 and getting a blue screen of death / DoS is trivial plenty of others are not convinced, saying that that example is a simple vulnerability check.

Depending on who you read the basic detail is that a) It seems to cause blue screens or b) locks up vulnerable servers. In my book this makes it a functional DoS. The remote code execution doesn’t seem to be proven yet but that’s probably just a matter of time.

What should you do?

Patch. Apply the MS15-034 update https://support.microsoft.com/en-us/kb/3042553. Simple.

If you’re unsure about what action to take then mull this over:
Of all the supposed APT enabled attacks (think Home Depot et al) the thing that made them so deadly effective wasn’t the killer zero-day malware used to gain initial access, it was the lack of patching that allowed escalation and further access to data.