MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553)

Nessus Output

Description

The version of Windows running on the remote host is affected by a vulnerability in the HTTP protocol stack (HTTP.sys) due to improperly parsing crafted HTTP requests. A remote attacker can exploit this to execute arbitrary code with System privileges.

Solution

Microsoft has released a set of patches for Windows 7, 2008 R2, 8, 8.1, 2012, and 2012 R2

See Also

https://technet.microsoft.com/en-us/library/security/MS15-034

Nmap NSE Script

This vulnerability can also be found with nmap:  http-vuln-cve2015-1635

nmap $target1 -p 80 -script http-vuln-cve2015-1635
 
PORT STATE SERVICE
80/tcp open http
| http-vuln-cve2015-1635: 
| VULNERABLE:
| Remote Code Execution in HTTP.sys (MS15-034)
| State: VULNERABLE
| IDs: CVE:CVE-2015-1635
| A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is
| caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who
| successfully exploited this vulnerability could execute arbitrary code in the context of the System account.
| 
| Disclosure date: 2015-04-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635
|_ https://technet.microsoft.com/en-us/library/security/ms15-034.aspx

Metasploit

auxiliary/dos/http/ms15_034_ulonglongadd 
MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service

Description:
 This module dumps memory contents using a crafted Range header and 
 affects only Windows 8.1, Server 2012, and Server 2012R2. Note that 
 if the target is running in VMware Workstation, this module has a 
 high likelihood of resulting in BSOD; however, VMware ESX and 
 non-virtualized hosts seem stable. Using a larger target file should 
 result in more memory being dumped, and SSL seems to produce more 
 data as well.

References:
 http://cvedetails.com/cve/2015-1635/
 http://technet.microsoft.com/en-us/security/bulletin/MS15-034
 http://pastebin.com/ypURDPc4
 https://github.com/rapid7/metasploit-framework/pull/5150
 https://community.qualys.com/blogs/securitylabs/2015/04/20/ms15-034-analyze-and-remote-detection
 http://www.securitysift.com/an-analysis-of-ms15-034/
 http://securitysift.com/an-analysis-of-ms15-034/


auxiliary/scanner/http/ms15_034_http_sys_memory_dump
MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure