CVE-2022-21907 - Double Free in http.sys driver
CVE-2022-21907 - Double Free in http.sys driver
Summary
An unauthenticated attacker can send an HTTP request with an "Accept-Encoding
" HTTP request header triggering a double free in the unknown coding-list inside the HTTP Protocol Stack (http.sys
) to process packets, resulting in a kernel crash.
Vulnerable systems
- Windows Server 2019 and Windows 10 version 1809:
- ❌ Not vulnerable by default. Unless you have set the HTTP Trailer Support to
EnableTrailerSupport
inHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\
, the systems are not vulnerable.
- ❌ Not vulnerable by default. Unless you have set the HTTP Trailer Support to
- Windows 10 version 2004 (build
19041.450
):- ✔️ Vulnerable
You can find the http.sys
driver of Windows 10 version 2004 (build 19041.450
) here:
Patch status | Driver |
---|---|
Before patch | ./ressources/drivers_before_update/C/Windows/System32/drivers/http.sys |
After patch | ./ressources/drivers_after_update/C/Windows/System32/drivers/http.sys |
Demonstration
poc_cve-2022-01-18_12.35.35.mp4
Usage
$ ./CVE-2022-21907_http.sys_crash.py -h
usage: CVE-2022-21907_http.sys_crash.py [-h] -t TARGET [-v]
Description message
optional arguments:
-h, --help show this help message and exit
-t TARGET, --target TARGET
Target IIS Server.
-v, --verbose Verbose mode. (default: False)
Call graph at the moment of the crash
Call graph:
STACK_TEXT:
ffffca0d`46cdf158 fffff800`4a1efe29 : 00000000`00000139 00000000`00000003 ffffca0d`46cdf480 ffffca0d`46cdf3d8 : nt!KeBugCheckEx
ffffca0d`46cdf160 fffff800`4a1f0250 : 00000000`00001000 ffffca0d`46cdf4a0 fffff800`4aa4ef00 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffca0d`46cdf2a0 fffff800`4a1ee5e3 : 00000000`00000000 00000000`00000002 00000000`c0000225 01b00030`4a1ec14c : nt!KiFastFailDispatch+0xd0
ffffca0d`46cdf480 fffff800`4707f537 : 00000000`00000010 00000000`00010202 ffffca0d`46cdf638 00000000`00000018 : nt!KiRaiseSecurityCheckFailure+0x323
ffffca0d`46cdf610 fffff800`47036ac5 : ffff930c`202efef9 ffffca0d`00000001 ffffca0d`46cdf694 00000000`00000000 : HTTP!UlFreeUnknownCodingList+0x63
ffffca0d`46cdf640 fffff800`4700d191 : ffff70ca`b45420d8 ffffca0d`46cdf819 00000000`00000010 fffff800`4700d140 : HTTP!UlpParseAcceptEncoding+0x298f5
ffffca0d`46cdf730 fffff800`46fe9368 : fffff800`46fb46e0 ffffca0d`46cdf819 ffff930c`210ca050 00000000`00000000 : HTTP!UlAcceptEncodingHeaderHandler+0x51
ffffca0d`46cdf780 fffff800`46fe8a47 : ffffca0d`46cdf8e8 00000000`00000004 00000000`00000000 00000000`00000010 : HTTP!UlParseHeader+0x218
ffffca0d`46cdf880 fffff800`46f44c5f : ffff930c`19c16228 ffff930c`19c16010 ffffca0d`46cdfa79 00000000`00000000 : HTTP!UlParseHttp+0xac7
ffffca0d`46cdf9e0 fffff800`46f4490a : fffff800`46f44760 ffff930c`202efcf0 00000000`00000000 00000000`00000001 : HTTP!UlpParseNextRequest+0x1ff
ffffca0d`46cdfae0 fffff800`46fe4852 : fffff800`46f44760 fffff800`46f44760 00000000`00000001 00000000`00000000 : HTTP!UlpHandleRequest+0x1aa
ffffca0d`46cdfb80 fffff800`4a146745 : ffff930c`19c16090 fffff800`46fb5f80 00000000`00000284 00000000`00000000 : HTTP!UlpThreadPoolWorker+0x112
ffffca0d`46cdfc10 fffff800`4a1e5598 : ffffa580`1afc0180 ffff930c`1eec0040 fffff800`4a1466f0 00000000`00000246 : nt!PspSystemThreadStartup+0x55
ffffca0d`46cdfc60 00000000`00000000 : ffffca0d`46ce0000 ffffca0d`46cda000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28
Function call graph:
───> nt!KiStartSystemThread+0x28
│ ├──> nt!PspSystemThreadStartup+0x55
│ │ ├──> HTTP!UlpThreadPoolWorker+0x112
│ │ │ ├──> HTTP!UlpHandleRequest+0x1aa
│ │ │ │ ├──> HTTP!UlpParseNextRequest+0x1ff
│ │ │ │ │ ├──> HTTP!UlParseHttp+0xac7
│ │ │ │ │ │ ├──> HTTP!UlParseHeader+0x218
│ │ │ │ │ │ │ ├──> HTTP!UlAcceptEncodingHeaderHandler+0x51
│ │ │ │ │ │ │ │ ├──> HTTP!UlpParseAcceptEncoding+0x298f5
│ │ │ │ │ │ │ │ │ ├──> HTTP!UlFreeUnknownCodingList+0x63
│ │ │ │ │ │ │ │ │ │ ├──> nt!KiRaiseSecurityCheckFailure+0x323
│ │ │ │ │ │ │ │ │ │ │ ├──> nt!KiFastFailDispatch+0xd0
│ │ │ │ │ │ │ │ │ │ │ │ ├──> nt!KiBugCheckDispatch+0x69
│ │ │ │ │ │ │ │ │ │ │ │ │ └──> nt!KeBugCheckEx
References
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21907
- http://msdl.microsoft.com/download/symbols/http.pdb/3D8ADB52C1BF2F56F4EFE17AD29AC5B41/http.pdb
- https://www.zerodayinitiative.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execution-bug-in-httpsys