An analysis and working proof-of-concept were found for a wormable Windows IIS server vulnerability which could have potential code exploitation. Microsoft has tracked this in a patch stated CVE-2021-31166.
What can this Exploitation do?
The flaw could be exploited by an unauthenticated attacker by sending a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets.
This stack is used by the Windows built-in IIS server, which means that it could be easily exploited if the server is enabled. The flaw is wormable and affects different versions of Windows 10, Windows Server 2004 and Windows Server 20H2.
The bug itself happens in HTTP!UlpParseContentCoding where the function has a local LIST_ENTRY and appends an item to it. When it’s done, it moves it into the Request structure; but it doesn’t NULL out the local list. The issue with that is that an attacker can trigger a code-path that frees every entry of the local list leaving them dangling in the Request object.
The security researcher Axel Souchet has published over the weekend a proof-of-concept exploit code for the wormable flaw that impacted Windows IIS.
This PoC exploits code causes to crash an unpatched Windows system running an IIS server, it does not implement worming capabilities. The attackers could start triggering the vulnerability in the wild, the PoC code could be improved to be actively exploited.
Information on the Patch CVE-2021-31166
The patch CVE-2021-31166 released by Microsoft recently corrects the above-specified bug that could allow an unauthenticated attacker to remotely execute code as kernel. This is bug wormable and highly exploitable. To be noted that, Windows 10 can also be configured as a web server, so it is impacted as well.
We recommend having this patch in your environment as soon as possible to avoid any security exploitation. A stitch in time saves nine!