CVE-2022-21907-http.sys icon indicating copy to clipboard operation
CVE-2022-21907-http.sys copied to clipboard

Proof of concept of CVE-2022-21907 Double Free in http.sys driver, triggering a kernel crash on IIS servers

CVE-2022-21907 - Double Free in http.sys driver

CVE-2022-21907 - Double Free in http.sys driver
GitHub release (latest by date) YouTube Channel Subscribers

Summary

An unauthenticated attacker can send an HTTP request with an "Accept-Encoding" HTTP request header triggering a double free in the unknown coding-list inside the HTTP Protocol Stack (http.sys) to process packets, resulting in a kernel crash.

Vulnerable systems

  • Windows Server 2019 and Windows 10 version 1809:
    • :x: Not vulnerable by default. Unless you have set the HTTP Trailer Support to EnableTrailerSupport in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\, the systems are not vulnerable.
  • Windows 10 version 2004 (build 19041.450):
    • ✔️ Vulnerable

You can find the http.sys driver of Windows 10 version 2004 (build 19041.450) here:

Patch status Driver
Before patch ./ressources/drivers_before_update/C/Windows/System32/drivers/http.sys
After patch ./ressources/drivers_after_update/C/Windows/System32/drivers/http.sys

Demonstration

https://user-images.githubusercontent.com/79218792/149931289-57615b83-8208-4afc-bcc0-a4155b1db8aa.mp4

Usage

$ ./CVE-2022-21907_http.sys_crash.py -h
usage: CVE-2022-21907_http.sys_crash.py [-h] -t TARGET [-v]

Description message

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        Target IIS Server.
  -v, --verbose         Verbose mode. (default: False)

Call graph at the moment of the crash

Call graph:

STACK_TEXT:
ffffca0d`46cdf158 fffff800`4a1efe29 : 00000000`00000139 00000000`00000003 ffffca0d`46cdf480 ffffca0d`46cdf3d8 : nt!KeBugCheckEx
ffffca0d`46cdf160 fffff800`4a1f0250 : 00000000`00001000 ffffca0d`46cdf4a0 fffff800`4aa4ef00 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffca0d`46cdf2a0 fffff800`4a1ee5e3 : 00000000`00000000 00000000`00000002 00000000`c0000225 01b00030`4a1ec14c : nt!KiFastFailDispatch+0xd0
ffffca0d`46cdf480 fffff800`4707f537 : 00000000`00000010 00000000`00010202 ffffca0d`46cdf638 00000000`00000018 : nt!KiRaiseSecurityCheckFailure+0x323
ffffca0d`46cdf610 fffff800`47036ac5 : ffff930c`202efef9 ffffca0d`00000001 ffffca0d`46cdf694 00000000`00000000 : HTTP!UlFreeUnknownCodingList+0x63
ffffca0d`46cdf640 fffff800`4700d191 : ffff70ca`b45420d8 ffffca0d`46cdf819 00000000`00000010 fffff800`4700d140 : HTTP!UlpParseAcceptEncoding+0x298f5
ffffca0d`46cdf730 fffff800`46fe9368 : fffff800`46fb46e0 ffffca0d`46cdf819 ffff930c`210ca050 00000000`00000000 : HTTP!UlAcceptEncodingHeaderHandler+0x51
ffffca0d`46cdf780 fffff800`46fe8a47 : ffffca0d`46cdf8e8 00000000`00000004 00000000`00000000 00000000`00000010 : HTTP!UlParseHeader+0x218
ffffca0d`46cdf880 fffff800`46f44c5f : ffff930c`19c16228 ffff930c`19c16010 ffffca0d`46cdfa79 00000000`00000000 : HTTP!UlParseHttp+0xac7
ffffca0d`46cdf9e0 fffff800`46f4490a : fffff800`46f44760 ffff930c`202efcf0 00000000`00000000 00000000`00000001 : HTTP!UlpParseNextRequest+0x1ff
ffffca0d`46cdfae0 fffff800`46fe4852 : fffff800`46f44760 fffff800`46f44760 00000000`00000001 00000000`00000000 : HTTP!UlpHandleRequest+0x1aa
ffffca0d`46cdfb80 fffff800`4a146745 : ffff930c`19c16090 fffff800`46fb5f80 00000000`00000284 00000000`00000000 : HTTP!UlpThreadPoolWorker+0x112
ffffca0d`46cdfc10 fffff800`4a1e5598 : ffffa580`1afc0180 ffff930c`1eec0040 fffff800`4a1466f0 00000000`00000246 : nt!PspSystemThreadStartup+0x55
ffffca0d`46cdfc60 00000000`00000000 : ffffca0d`46ce0000 ffffca0d`46cda000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28

Function call graph:

 ───> nt!KiStartSystemThread+0x28
 │    ├──> nt!PspSystemThreadStartup+0x55
 │    │    ├──> HTTP!UlpThreadPoolWorker+0x112
 │    │    │    ├──> HTTP!UlpHandleRequest+0x1aa
 │    │    │    │    ├──> HTTP!UlpParseNextRequest+0x1ff
 │    │    │    │    │    ├──> HTTP!UlParseHttp+0xac7
 │    │    │    │    │    │    ├──> HTTP!UlParseHeader+0x218
 │    │    │    │    │    │    │    ├──> HTTP!UlAcceptEncodingHeaderHandler+0x51
 │    │    │    │    │    │    │    │    ├──> HTTP!UlpParseAcceptEncoding+0x298f5
 │    │    │    │    │    │    │    │    │    ├──> HTTP!UlFreeUnknownCodingList+0x63
 │    │    │    │    │    │    │    │    │    │    ├──> nt!KiRaiseSecurityCheckFailure+0x323
 │    │    │    │    │    │    │    │    │    │    │    ├──> nt!KiFastFailDispatch+0xd0
 │    │    │    │    │    │    │    │    │    │    │    │    ├──> nt!KiBugCheckDispatch+0x69
 │    │    │    │    │    │    │    │    │    │    │    │    │    └──> nt!KeBugCheckEx

References

  • https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21907
  • http://msdl.microsoft.com/download/symbols/http.pdb/3D8ADB52C1BF2F56F4EFE17AD29AC5B41/http.pdb
  • https://www.zerodayinitiative.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execution-bug-in-httpsys