Associated Vulnerability
Title:Microsoft HTTP.sys 资源管理错误漏洞 (CVE-2021-31166)Description:Microsoft HTTP.sys是美国微软(Microsoft)公司的一个应用协议。HTTP应用协议。 HTTP.sys存在资源管理错误漏洞。以下产品和版本受到影响:Windows 10 Version 2004 for 32-bit Systems,Windows 10 Version 2004 for ARM64-based Systems,Windows 10 Version 2004 for x64-based Systems,Windows Server, version 2004 (Ser
Description
HTTP Protocol Stack CVE-2021-31166
Readme
# CVE-2021-31166
Detection of attempts to exploit CVE-2021-31166 (HTTP Protocol Stack vulnerability)
- Suricata rule
- Zeek Package
## References
https://corelight.blog/2021/05/27/detecting-cve-2021-31166-http-vulnerability/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31166
https://github.com/0vercl0k/CVE-2021-31166
https://www.bleepingcomputer.com/news/security/exploit-released-for-wormable-windows-http-vulnerability/
## Notice provided by Zeek package (example)
- To speed up triaging, the sub field contains the first 200 characters of the Header value.
- The notices below have supression turned off for demonstration purposes, however the notice supression is 3600sec based on the id.orig_h-id.resp_h tuple.
```
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2021-05-18-15-57-59
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitudremote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval string string string double double
1621316027.006608 C5ABKx3uBT03uzsJEg 10.31.33.7 52728 10.0.0.13 80 - - - tcp CVE_2021_31166::CVE_2021_31166 Potential IIS HTTP Protocol Stack CVE-2021-31166 exploit attempt. POC https://github.com/0vercl0k/CVE-2021-31166 The ACCEPT-ENCODING Header value (max 200 chars shown) is 'doar-e, ftw, imo, ,' 10.31.33.7 10.0.0.13 80 - - Notice::ACTION_LOG 3600.000000 - - - - -
1621316049.181915 C68JnP3zUs0En7tHS1 10.31.33.7 52733 10.0.0.13 80 - - - tcp CVE_2021_31166::CVE_2021_31166 Potential IIS HTTP Protocol Stack CVE-2021-31166 exploit attempt. POC https://github.com/0vercl0k/CVE-2021-31166 The ACCEPT-ENCODING Header value (max 200 chars shown) is 'doar-e, ftw, imo,,' 10.31.33.7 10.0.0.13 80 - - Notice::ACTION_LOG 3600.000000 - - - - -
1621316067.175599 CjIQY93viY6dibvYsg 10.31.33.7 52739 10.0.0.13 80 - - - tcp CVE_2021_31166::CVE_2021_31166 Potential IIS HTTP Protocol Stack CVE-2021-31166 exploit attempt. POC https://github.com/0vercl0k/CVE-2021-31166 The ACCEPT-ENCODING Header value (max 200 chars shown) is 'doar-e, ftw, imo, ,' 10.31.33.7 10.0.0.13 80 - - Notice::ACTION_LOG 3600.000000 - - - - -
1621316106.328303 CTs0sL1lgR0AId1Oag 10.31.33.7 52743 10.0.0.13 80 - - - tcp CVE_2021_31166::CVE_2021_31166 Potential IIS HTTP Protocol Stack CVE-2021-31166 exploit attempt. POC https://github.com/0vercl0k/CVE-2021-31166 The ACCEPT-ENCODING Header value (max 200 chars shown) is 'doar-e, ftw, imo, , foo' 10.31.33.7 10.0.0.13 80 - - Notice::ACTION_LOG 3600.000000 - - - - -
#close 2021-05-18-15-57-59
```
## Alerts produced by Suricata rule (example)
```
05/18/2021-15:33:47.014022 [**] [1:3000005:1] CORELIGHT Windows HTTP Protocol Stack memory corruption exploit attempt CVE-2021-31166 [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 10.31.33.7:52728 -> 10.0.0.13:80
05/18/2021-15:34:09.189560 [**] [1:3000005:1] CORELIGHT Windows HTTP Protocol Stack memory corruption exploit attempt CVE-2021-31166 [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 10.31.33.7:52733 -> 10.0.0.13:80
05/18/2021-15:34:27.184188 [**] [1:3000005:1] CORELIGHT Windows HTTP Protocol Stack memory corruption exploit attempt CVE-2021-31166 [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 10.31.33.7:52739 -> 10.0.0.13:80
05/18/2021-15:35:06.335232 [**] [1:3000005:1] CORELIGHT Windows HTTP Protocol Stack memory corruption exploit attempt CVE-2021-31166 [**] [Classification: Web Application Attack] [Priority: 1] {TCP} 10.31.33.7:52743 -> 10.0.0.13:80
```
File Snapshot
[4.0K] /data/pocs/1662b1d248753211010d062f3374ebae955124d3
├── [1.5K] LICENSE
├── [3.7K] README.md
├── [4.0K] scripts
│ ├── [ 725] detect.zeek
│ └── [ 19] __load__.zeek
├── [4.0K] suricata
│ └── [ 448] CVE_2021_31166.rules
└── [ 206] zkg.meta
2 directories, 6 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.