Skip to content

Latest commit

 

History

History
55 lines (45 loc) · 2.75 KB

README.md

File metadata and controls

55 lines (45 loc) · 2.75 KB

CVE-2022-21907 HTTP Protocol Stack Remote Code Execution Vulnerability PoC

author: Lucas Dominikow

For demonstration purposes only. Complete exploit works on vulnerable Windows Server systems.

Checkout the writeup Proof of Concept: CVE-2022-21907 HTTP Protocol Stack Remote Code Execution Vulnerability.


A REAL DoS exploit for CVE-2022-21907

It supports IPv4/IPv6/HTTP/HTTPS

Affected Windows Versions:

- Windows
    - 10 Version 1809 for 32-bit Systems
    - 10 Version 1809 for x64-based Systems
    - 10 Version 1809 for ARM64-based Systems
    - 10 Version 21H1 for 32-bit Systems
    - 10 Version 21H1 for x64-based System
    - 10 Version 21H1 for ARM64-based Systems
    - 10 Version 20H2 for 32-bit Systems
    - 10 Version 20H2 for x64-based Systems
    - 10 Version 20H2 for ARM64-based Systems
    - 10 Version 21H2 for 32-bit Systems
    - 10 Version 21H2 for x64-based Systems
    - 10 Version 21H2 for ARM64-based Systems
    - 11 for x64-based Systems
    - 11 for ARM64-based Systems
- Windows Server
    - 2019
    - 2019 (Core installation)
    - 2022
    - 2022 (Server Core installation)
    - version 20H2 (Server Core Installation)

Using the PoC

- ./cve-2022-21907.py -t 192.168.0.13 -p 80 -v 4

Mitigations

- Windows Server 2019 and Windows 10 version 1809 are not vulnerable by default. Unless you have enabled the HTTP Trailer Support via EnableTrailerSupport registry value, the systems are not vulnerable.
- Delete the DWORD registry value "EnableTrailerSupport" if present under:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
- This mitigation only applies to Windows Server 2019 and Windows 10, version 1809 and does not apply to the Windows 20H2 and newer.

FAQ

- How could an attacker exploit this vulnerability?
    - In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets.
- Is this wormable?
    - Yes. Microsoft recommends prioritizing the patching of affected servers.
- Windows 10, Version 1909 is not in the Security Updates table. Is it affected by this vulnerability?
    - No, the vulnerable code does not exist in Windows 10, version 1909. It is not affected by this vulnerability.
- Is the EnableTrailerSupport registry key present in any other platform than Windows Server 2019 and Windows 10, version 1809?
    - No, the registry key is only present in Windows Server 2019 and Windows 10, version 1809