Proof of concept of CVE-2022-21907 Double Free in http.sys driver, triggering a kernel crash on IIS servers

Last update: Dec 22, 2022

Overview

CVE-2022-21907 - Double Free in http.sys driver

Summary

An unauthenticated attacker can send an HTTP request with an "Accept-Encoding" HTTP request header triggering a double free in the unknown coding-list inside the HTTP Protocol Stack (http.sys) to process packets, resulting in a kernel crash.

Vulnerable systems

Windows Server 2019 and Windows 10 version 1809:
- ❌ Not vulnerable by default. Unless you have set the HTTP Trailer Support to EnableTrailerSupport in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\, the systems are not vulnerable.
Windows 10 version 2004 (build 19041.450):
- ✔️ Vulnerable

You can find the http.sys driver of Windows 10 version 2004 (build 19041.450) here:

Patch status	Driver
Before patch	./ressources/drivers_before_update/C/Windows/System32/drivers/http.sys
After patch	./ressources/drivers_after_update/C/Windows/System32/drivers/http.sys

Demonstration

poc_cve-2022-01-18_12.35.35.mp4

Usage

$ ./CVE-2022-21907_http.sys_crash.py -h
usage: CVE-2022-21907_http.sys_crash.py [-h] -t TARGET [-v]

Description message

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        Target IIS Server.
  -v, --verbose         Verbose mode. (default: False)

Call graph at the moment of the crash

Call graph:

STACK_TEXT:
ffffca0d`46cdf158 fffff800`4a1efe29 : 00000000`00000139 00000000`00000003 ffffca0d`46cdf480 ffffca0d`46cdf3d8 : nt!KeBugCheckEx
ffffca0d`46cdf160 fffff800`4a1f0250 : 00000000`00001000 ffffca0d`46cdf4a0 fffff800`4aa4ef00 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffca0d`46cdf2a0 fffff800`4a1ee5e3 : 00000000`00000000 00000000`00000002 00000000`c0000225 01b00030`4a1ec14c : nt!KiFastFailDispatch+0xd0
ffffca0d`46cdf480 fffff800`4707f537 : 00000000`00000010 00000000`00010202 ffffca0d`46cdf638 00000000`00000018 : nt!KiRaiseSecurityCheckFailure+0x323
ffffca0d`46cdf610 fffff800`47036ac5 : ffff930c`202efef9 ffffca0d`00000001 ffffca0d`46cdf694 00000000`00000000 : HTTP!UlFreeUnknownCodingList+0x63
ffffca0d`46cdf640 fffff800`4700d191 : ffff70ca`b45420d8 ffffca0d`46cdf819 00000000`00000010 fffff800`4700d140 : HTTP!UlpParseAcceptEncoding+0x298f5
ffffca0d`46cdf730 fffff800`46fe9368 : fffff800`46fb46e0 ffffca0d`46cdf819 ffff930c`210ca050 00000000`00000000 : HTTP!UlAcceptEncodingHeaderHandler+0x51
ffffca0d`46cdf780 fffff800`46fe8a47 : ffffca0d`46cdf8e8 00000000`00000004 00000000`00000000 00000000`00000010 : HTTP!UlParseHeader+0x218
ffffca0d`46cdf880 fffff800`46f44c5f : ffff930c`19c16228 ffff930c`19c16010 ffffca0d`46cdfa79 00000000`00000000 : HTTP!UlParseHttp+0xac7
ffffca0d`46cdf9e0 fffff800`46f4490a : fffff800`46f44760 ffff930c`202efcf0 00000000`00000000 00000000`00000001 : HTTP!UlpParseNextRequest+0x1ff
ffffca0d`46cdfae0 fffff800`46fe4852 : fffff800`46f44760 fffff800`46f44760 00000000`00000001 00000000`00000000 : HTTP!UlpHandleRequest+0x1aa
ffffca0d`46cdfb80 fffff800`4a146745 : ffff930c`19c16090 fffff800`46fb5f80 00000000`00000284 00000000`00000000 : HTTP!UlpThreadPoolWorker+0x112
ffffca0d`46cdfc10 fffff800`4a1e5598 : ffffa580`1afc0180 ffff930c`1eec0040 fffff800`4a1466f0 00000000`00000246 : nt!PspSystemThreadStartup+0x55
ffffca0d`46cdfc60 00000000`00000000 : ffffca0d`46ce0000 ffffca0d`46cda000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28

Function call graph:

 ───> nt!KiStartSystemThread+0x28
 │    ├──> nt!PspSystemThreadStartup+0x55
 │    │    ├──> HTTP!UlpThreadPoolWorker+0x112
 │    │    │    ├──> HTTP!UlpHandleRequest+0x1aa
 │    │    │    │    ├──> HTTP!UlpParseNextRequest+0x1ff
 │    │    │    │    │    ├──> HTTP!UlParseHttp+0xac7
 │    │    │    │    │    │    ├──> HTTP!UlParseHeader+0x218
 │    │    │    │    │    │    │    ├──> HTTP!UlAcceptEncodingHeaderHandler+0x51
 │    │    │    │    │    │    │    │    ├──> HTTP!UlpParseAcceptEncoding+0x298f5
 │    │    │    │    │    │    │    │    │    ├──> HTTP!UlFreeUnknownCodingList+0x63
 │    │    │    │    │    │    │    │    │    │    ├──> nt!KiRaiseSecurityCheckFailure+0x323
 │    │    │    │    │    │    │    │    │    │    │    ├──> nt!KiFastFailDispatch+0xd0
 │    │    │    │    │    │    │    │    │    │    │    │    ├──> nt!KiBugCheckDispatch+0x69
 │    │    │    │    │    │    │    │    │    │    │    │    │    └──> nt!KeBugCheckEx

References

Proof of concept to check if hosts are vulnerable to CVE-2021-41773

CVE-2021-41773 PoC Proof of concept to check if hosts are vulnerable to CVE-2021-41773. Description (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CV

43 Nov 9, 2022

Proof of Concept Exploit for ManageEngine ServiceDesk Plus CVE-2021-44077

CVE-2021-44077 Proof of Concept Exploit for CVE-2021-44077: PreAuth RCE in ManageEngine ServiceDesk Plus 11306 Based on: https://xz.aliyun.com/t/106

25 Nov 9, 2022

This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).

CVE-2021-43798 – Grafana Exploit About This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798

12 Nov 18, 2022

A proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228)

CVE-2021-44228 – Log4j RCE Unauthenticated About This is a proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228). This vulnerability

20 Nov 11, 2022

A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability

log4j-shell-poc A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability. Recently there was a new vulnerability in log4j, a java loggin

1.5k Jan 4, 2023

Log4Shell Proof of Concept (CVE-2021-44228)

CVE-2021-44228 Log4Shell Proof of Concept (CVE-2021-44228) Make sure to use Java 8 JDK. Java 8 Download Images Credits Casey Dunham - Java Reverse She

3 Jul 23, 2022

How to exploit a double free vulnerability in 2021. 'Use-After-Free for Dummies'

This bug doesn’t exist on x86: Exploiting an ARM-only race condition How to exploit a double free and get a shell. "Use-After-Free for dummies" In thi

1.2k Dec 25, 2022

CVE-2022-22536 - SAP memory pipes(MPI) desynchronization vulnerability CVE-2022-22536

CVE-2022-22536 SAP memory pipes desynchronization vulnerability(MPI) CVE-2022-22

49 Nov 9, 2022

Cve-2022-23131 - Cve-2022-23131 zabbix-saml-bypass-exp

cve-2022-23131 cve-2022-23131 zabbix-saml-bypass-exp replace [zbx_signed_session

135 Dec 14, 2022

Proof of concept of CVE-2022-21907 Double Free in http.sys driver, triggering a kernel crash on IIS servers

Related tags

Overview

CVE-2022-21907 - Double Free in http.sys driver

Summary

Vulnerable systems

Demonstration

Usage

Call graph at the moment of the crash

References

You might also like...

Proof of concept to check if hosts are vulnerable to CVE-2021-41773

Proof of Concept Exploit for ManageEngine ServiceDesk Plus CVE-2021-44077

This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).

A proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228)

A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability

Log4Shell Proof of Concept (CVE-2021-44228)

How to exploit a double free vulnerability in 2021. 'Use-After-Free for Dummies'

CVE-2022-22536 - SAP memory pipes(MPI) desynchronization vulnerability CVE-2022-22536

Cve-2022-23131 - Cve-2022-23131 zabbix-saml-bypass-exp

Releases(1.1)

1.1(Jan 18, 2022)

Owner

Podalirius

proxyshell payload generate

A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts

Searches filesystem for CVE-2021-44228 and CVE-2021-45046 vulnerable instances of log4j library, including embedded (jar/war/zip) packaged ones.

Linus-png.github.io - Versionsverwaltung & Open Source Hausaufgabe

Infoga is a tool gathering email accounts informations (ip,hostname,country,...) from different public source

Gmail Accounts Hacking

CVE-2021-26855: PoC (Not a HoneyPoC for once!)

A tool used to obfuscate python scripts, bind obfuscated scripts to fixed machine or expire obfuscated scripts.

Password-Manager - This app can generate ,save , find and delete passwords.

A Python tool to automate some dorking stuff to find information disclosures.

Simple python script for generating custom high-secure passwords for securing your social-apps ❤️

A collection of write-ups and solutions for Cyber FastTrack Spring 2021.

log4j2 passive burp rce scanning tool get post cookie full parameter recognition

Log4jScanner is a Log4j Related CVEs Scanner, Designed to Help Penetration Testers to Perform Black Box Testing on given subdomains.

Better-rtti-parser - IDA script to parse RTTI information in executable

Automatically fetch, measure, and merge subscription links on the network, use Github Action

This is an advanced backdoor, created with Python

This is a simple tool to create ZIP payloads using a provided wordlist for the symlink attack (present in some file upload vulnerabilities)

Um script simples de Port Scan + DNS by Hostname

A script to search, scrape and scan for Apache Log4j CVE-2021-44228 affected files using Google dorks