Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-21907 PoC — Microsoft Windows 安全漏洞

Source
https://github.com/p0dalirius/CVE-2022-21907-http.sys
Associated Vulnerability
Title:Microsoft Windows 安全漏洞 (CVE-2022-21907)
Description:Microsoft Windows是美国微软(Microsoft)公司的一套个人设备使用的操作系统。 Microsoft Windows HTTP Protocol Stack存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Ser
Description
Proof of concept of CVE-2022-21907 Double Free in http.sys driver, triggering a kernel crash on IIS servers
Readme
# CVE-2022-21907 - Double Free in http.sys driver

![](./.github/banner.png)

<p align="center">
   CVE-2022-21907 - Double Free in http.sys driver
   <br>
   <img alt="GitHub release (latest by date)" src="https://img.shields.io/github/v/release/p0dalirius/CVE-2022-21907-http.sys">
   <a href="https://twitter.com/intent/follow?screen_name=podalirius_" title="Follow"><img src="https://img.shields.io/twitter/follow/podalirius_?label=Podalirius&style=social"></a>
   <a href="https://www.youtube.com/c/Podalirius_?sub_confirmation=1" title="Subscribe"><img alt="YouTube Channel Subscribers" src="https://img.shields.io/youtube/channel/subscribers/UCF_x5O7CSfr82AfNVTKOv_A?style=social"></a>
   <br>
   <br>
</p>

## Summary

An unauthenticated attacker can send an HTTP request with an "`Accept-Encoding`" HTTP request header triggering a double free in the unknown coding-list inside the HTTP Protocol Stack (`http.sys`) to process packets, resulting in a kernel crash.

### Vulnerable systems

 - **Windows Server 2019 and Windows 10 version 1809**:
    + :x: Not vulnerable by default. Unless you have set the HTTP Trailer Support to `EnableTrailerSupport` in `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\`, the systems are not vulnerable.
 - **Windows 10 version 2004 (build `19041.450`)**:
    + ✔️ Vulnerable

You can find the `http.sys` driver of Windows 10 version 2004 (build `19041.450`) here:

| Patch status | Driver      |
|--------------|-------------|
| Before patch | [./ressources/drivers_before_update/C/Windows/System32/drivers/http.sys](ressources/drivers_before_update/C/Windows/System32/drivers/http.sys) |
| After patch  | [./ressources/drivers_after_update/C/Windows/System32/drivers/http.sys](ressources/drivers_after_update/C/Windows/System32/drivers/http.sys) |

## Demonstration

https://user-images.githubusercontent.com/79218792/149931289-57615b83-8208-4afc-bcc0-a4155b1db8aa.mp4

## Usage

```
$ ./CVE-2022-21907_http.sys_crash.py -h
usage: CVE-2022-21907_http.sys_crash.py [-h] -t TARGET [-v]

Description message

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        Target IIS Server.
  -v, --verbose         Verbose mode. (default: False)
```

## Call graph at the moment of the crash

Call graph:

```
STACK_TEXT:
ffffca0d`46cdf158 fffff800`4a1efe29 : 00000000`00000139 00000000`00000003 ffffca0d`46cdf480 ffffca0d`46cdf3d8 : nt!KeBugCheckEx
ffffca0d`46cdf160 fffff800`4a1f0250 : 00000000`00001000 ffffca0d`46cdf4a0 fffff800`4aa4ef00 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffca0d`46cdf2a0 fffff800`4a1ee5e3 : 00000000`00000000 00000000`00000002 00000000`c0000225 01b00030`4a1ec14c : nt!KiFastFailDispatch+0xd0
ffffca0d`46cdf480 fffff800`4707f537 : 00000000`00000010 00000000`00010202 ffffca0d`46cdf638 00000000`00000018 : nt!KiRaiseSecurityCheckFailure+0x323
ffffca0d`46cdf610 fffff800`47036ac5 : ffff930c`202efef9 ffffca0d`00000001 ffffca0d`46cdf694 00000000`00000000 : HTTP!UlFreeUnknownCodingList+0x63
ffffca0d`46cdf640 fffff800`4700d191 : ffff70ca`b45420d8 ffffca0d`46cdf819 00000000`00000010 fffff800`4700d140 : HTTP!UlpParseAcceptEncoding+0x298f5
ffffca0d`46cdf730 fffff800`46fe9368 : fffff800`46fb46e0 ffffca0d`46cdf819 ffff930c`210ca050 00000000`00000000 : HTTP!UlAcceptEncodingHeaderHandler+0x51
ffffca0d`46cdf780 fffff800`46fe8a47 : ffffca0d`46cdf8e8 00000000`00000004 00000000`00000000 00000000`00000010 : HTTP!UlParseHeader+0x218
ffffca0d`46cdf880 fffff800`46f44c5f : ffff930c`19c16228 ffff930c`19c16010 ffffca0d`46cdfa79 00000000`00000000 : HTTP!UlParseHttp+0xac7
ffffca0d`46cdf9e0 fffff800`46f4490a : fffff800`46f44760 ffff930c`202efcf0 00000000`00000000 00000000`00000001 : HTTP!UlpParseNextRequest+0x1ff
ffffca0d`46cdfae0 fffff800`46fe4852 : fffff800`46f44760 fffff800`46f44760 00000000`00000001 00000000`00000000 : HTTP!UlpHandleRequest+0x1aa
ffffca0d`46cdfb80 fffff800`4a146745 : ffff930c`19c16090 fffff800`46fb5f80 00000000`00000284 00000000`00000000 : HTTP!UlpThreadPoolWorker+0x112
ffffca0d`46cdfc10 fffff800`4a1e5598 : ffffa580`1afc0180 ffff930c`1eec0040 fffff800`4a1466f0 00000000`00000246 : nt!PspSystemThreadStartup+0x55
ffffca0d`46cdfc60 00000000`00000000 : ffffca0d`46ce0000 ffffca0d`46cda000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28
```

Function call graph:

```
 ───> nt!KiStartSystemThread+0x28
 │    ├──> nt!PspSystemThreadStartup+0x55
 │    │    ├──> HTTP!UlpThreadPoolWorker+0x112
 │    │    │    ├──> HTTP!UlpHandleRequest+0x1aa
 │    │    │    │    ├──> HTTP!UlpParseNextRequest+0x1ff
 │    │    │    │    │    ├──> HTTP!UlParseHttp+0xac7
 │    │    │    │    │    │    ├──> HTTP!UlParseHeader+0x218
 │    │    │    │    │    │    │    ├──> HTTP!UlAcceptEncodingHeaderHandler+0x51
 │    │    │    │    │    │    │    │    ├──> HTTP!UlpParseAcceptEncoding+0x298f5
 │    │    │    │    │    │    │    │    │    ├──> HTTP!UlFreeUnknownCodingList+0x63
 │    │    │    │    │    │    │    │    │    │    ├──> nt!KiRaiseSecurityCheckFailure+0x323
 │    │    │    │    │    │    │    │    │    │    │    ├──> nt!KiFastFailDispatch+0xd0
 │    │    │    │    │    │    │    │    │    │    │    │    ├──> nt!KiBugCheckDispatch+0x69
 │    │    │    │    │    │    │    │    │    │    │    │    │    └──> nt!KeBugCheckEx
```

## References
 - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21907
 - http://msdl.microsoft.com/download/symbols/http.pdb/3D8ADB52C1BF2F56F4EFE17AD29AC5B41/http.pdb
 - https://www.zerodayinitiative.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execution-bug-in-httpsys
File Snapshot

 [4.0K]  /data/pocs/5ae70be6d7b68cf7016bfdb00d9891881156e821
├── [2.3K]  CVE-2022-21907_http.sys_crash.py
├── [5.8K]  README.md
└── [4.0K]  ressources
    ├── [4.0K]  drivers_after_update
    │   └── [4.0K]  C
    │       └── [4.0K]  Windows
    │           └── [4.0K]  System32
    │               └── [4.0K]  drivers
    │                   ├── [1.0M]  http.pdb
    │                   └── [1.5M]  http.sys
    ├── [4.0K]  drivers_before_update
    │   └── [4.0K]  C
    │       └── [4.0K]  Windows
    │           └── [4.0K]  System32
    │               └── [4.0K]  drivers
    │                   ├── [1.0M]  http.pdb
    │                   └── [1.5M]  http.sys
    └── [6.3K]  trace.txt

11 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.