A researcher has released a proof-of-concept (PoC) exploit for CVE-2021-31166, a use-after-free, highly critical vulnerability in the HTTP protocol stack (http.sys
) that could lead to wormable remote code execution (RCE).
Microsoft discovered the flaw internally, releasing a patch in its May 11 Patch Tuesday update. This was the most severe bug in that batch: an http.sys
issue that requires neither user authentication nor user interaction to exploit. An exploit would allow RCE with kernel privileges or a denial-of-service (DoS) attack.
According to a tweet from Microsoft’s Justin Campbell, the vulnerability was found by @_mxms and @fzzyhd1.
Fortunately this http.sys bug was an internal find by our team. This one thanks to @_mxms, @fzzyhd1 and everyone who contributes to our tooling and automation. https://t.co/0ru9BQMaJ9
— Justin Campbell (@metr0) May 13, 2021
http.sys
enables Windows and applications to communicate with other devices; it can be run standalone or in conjunction with Internet Information Services (IIS).
Microsoft Advises Priority Patching
“In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys
) to process packets,” Microsoft explained in its advisory. Given that the vulnerability is wormable, Microsoft recommends prioritizing the patching of affected servers.
“With a CVSS score of 9.8, the vulnerability announced has the potential to be both directly impactful and is also exceptionally simple to exploit, leading to a remote and unauthenticated denial-of-service (Blue Screen of Death) for affected products,” McAfee’s Steve Povolny said in an analysis of the flaw at the time.
Povolny explained that the problem lies in how Windows improperly tracks pointers while processing objects in network packets containing HTTP requests. The vulnerability only affects the latest versions of Windows 10 and Windows Server, meaning that the exposure for internet-facing enterprise servers is “fairly limited,” he said. That’s because many of these systems run Long Term Servicing Channel (LTSC) versions, such as Windows Server 2016 and 2019, which aren’t susceptible to this flaw.
Public Exploit for Wormable Security Bug
Researcher Axel Souchet, who used to work for Microsoft, published the PoC to GitHub, noting that the bug happens in http!UlpParseContentCoding
, where the function has a local LIST_ENTRY
and appends an item to it. “When it’s done, it moves it into the Request structure; but it doesn’t NULL
out the local list,” he explained. “The issue with that is that an attacker can trigger a code path that frees every [entry] of the local list, leaving them dangling in the Request object.”
This isn’t the first PoC exploit for CVE-2021-31166 that Souchet has released, but this is the first wormable one. Over the weekend, he released a PoC that only locked the impacted Windows system as long as it’s running an IIS server. That initial exploit shows how an attacker can leverage the flaw to cause DoS on a targeted system by sending it specially crafted packets.
I’ve built a PoC for CVE-2021-31166 the “HTTP Protocol Stack Remote Code Execution Vulnerability”: https://t.co/8mqLCByvCp 🔥🔥 pic.twitter.com/yzgUs2CQO5
— Axel Souchet (@0vercl0k) May 16, 2021
And Thus Does the Exploit Lifecycle Crank Up Again
The publishing of a PoC code like this is typically the first step in the lifecycle of an exploit. As explained by Trend Micro’s Mayra Rosario Fuentes at the RSA Conference 2021 on Monday, the next step in that lifecycle is for crooks to sell it.
After it’s in the wild, a vulnerability moves into the stage of public disclosure. Next, the vendor patches the vulnerability. Finally, that vulnerability goes down two paths: If it’s patched, that’s it, end of life. If not, the exploit’s still there, waiting to be purchased on underground forums and set free on whichever unlucky victims haven’t yet patched.
One example is the eight-month lifecycle of CVE-2020-9054: an exploit sold on the XSS cybercriminal forum for $20,000 in February 2020 that got written up by cybersecurity journalist Brian Krebs, was publicly disclosed and patched by Microsoft in March 2020, and wound up being exploited by a botnet a month later. That botnet, a variant of the Mirai botnet named Mukashi that targeted Zyxel network-attached storage (NAS) devices, allowed threat actors to remotely compromise and control devices.
Five months after it was patched, in August 2020, another forum post requested an exploit, offering a bargain basement payment of $2,000. It’s a tenth of the original exploit, but a solid indication that some vulnerabilities have a long shelf life – most particularly if they’re used to crack open Microsoft products. Microsoft exploits, after all, are by far the most-requested and the most-sold exploit flavors on the underground market: All the more reason to heed Microsoft’s advice to prioritize patching for this one.
Download our exclusive FREE Threatpost Insider eBook, “ 2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!