Remote Code Execution Vulnerability Found In Windows HTTP Stack

← Back to Stories (view on slashdot.org)

Remote Code Execution Vulnerability Found In Windows HTTP Stack

Posted by Soulskill on Wednesday April 15, 2015 @02:20AM from the another-day,-another-vuln dept.

jones_supa writes: A remote code execution vulnerability exists in the Windows HTTP stack that is caused when HTTP.SYS parses specially-crafted HTTP requests. An attacker who has successfully exploited this vulnerability could execute arbitrary code under the SYSTEM context. Details of the bug are withheld, but exploit code is floating around. Microsoft describes the issue in security bulletin MS15-034. An update (KB3042553) is already available for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. As a workaround, Microsoft offers disabling IIS kernel caching.

12 of 119 comments (clear)

Min score:

Reason:

Sort:

HTTP.SYS? by GerbilSoft · 2015-04-15 02:25 · Score: 5, Informative

http://support.microsoft.com/e...

In Windows Server 2003 and later versions, Http.sys is the kernel mode driver that handles HTTP requests.
WHY is there a kernel mode driver for HTTP? That's literally begging for security holes.
1. Re:HTTP.SYS? by poizan42 · 2015-04-15 02:40 · Score: 4, Informative
  
  > IIS kernel caching For performance reasons probably. It's optional though. I have no idea about real numbers, but there is always some overhead associated with contex switches which may be reduced if the http stream is assembled in chunks in kernelspace and control is only switched to userspace when a chunk is ready. Also it may be possible to parse the http stream directly from the buffer that the hardware writes the received data to without the overhead of copying the packets to userspace.
2. Re:HTTP.SYS? by Begemot · 2015-04-15 02:46 · Score: 5, Informative
  
  WHY is there a kernel mode driver for HTTP? That's literally begging for security holes.
  The reasons are clearly described here
3. Re: HTTP.SYS? by poizan42 · 2015-04-15 02:46 · Score: 5, Informative
  
  The user context doesn't really matter when it runs in kernel space as nothing can stop you from just replacing the user context. Why http parsing is done in kernel space is exactly to maximize performance. As mentioned in TFS you can disable it if you want to. One could argue that it shouldn't be on by default because it doesn't give you much if you are serving dynamic content.
4. Re:HTTP.SYS? by Anonymous Coward · 2015-04-15 03:13 · Score: 5, Informative
  
  HTTP requests are raw user input. You don't want raw user input anywhere near a kernel module.
  All network input is raw user input, and all passes through a kernel module before being passed to the application in user mode. With varying levels of parsing of course. After all the kernel handles protocols like TCP IPSec etc. HTTP does seem a particularly complex protocol to implement in the kernel though, meaning more risk of bugs.
  
  If you hadn't put an HTTP handler in the kernel, you wouldn't need a switch of context.
  You would. This receives the network request and responds to it from a cached copy without passing the request to the web server. Not doing so would mean a context switch to the server application.
  
  Requests are processed faster because they are routed directly from the kernel to the appropriate user-mode worker process instead of being routed between two user-mode processes.
  And there's the real reason it's done - it should say "IPC sucks real bad in Windows, so we made this stupid, stupid, idiotic hack to try and compete with that other OS we're not mentioning."
  You are misunderstanding the statement. This is not for IPC (it's for caching static content so useless as such). The 'appropriate user-mode worker[s]' they mean are a caching http proxy and http server. They have moved the caching proxy into the kernel. Of course you could also implement it within the server, but doing it in kernel means even less context switches to respond to a request from the network.
  
  You could do that in a user process.
  
  You could do that in a user process too.
  Absolutely. It was done so first. This was purely done as an optimisation for high-volume environments. Doesn't mean it should be on by default.
5. Re:HTTP.SYS? by poizan42 · 2015-04-15 05:08 · Score: 4, Informative
  
  Turns out it's not actually on by default. You have to add a caching rule and check the "Enable Kernel Caching" checkbox.
6. Re: HTTP.SYS? by poizan42 · 2015-04-15 05:14 · Score: 3, Informative
  
  Let me correct myself here - it's not even on by default. You have to actually check a "Enable Kernel Caching" checkbox to turn it on. People are spending way too much time bashing a feature that's opt-in.
7. Re:HTTP.SYS? by Anonymous Coward · 2015-04-15 09:50 · Score: 3, Informative
  
  According to this page IT IS on by default.
  https://technet.microsoft.com/en-us/library/cc731903%28v=ws.10%29.aspx
  "By default, kernel caching is enabled in IIS 7. "
8. Re:HTTP.SYS? by NetCow · 2015-04-15 09:55 · Score: 3, Informative
  
  It's on by default in 2008, 2008R2, Vista, 7. Quoth Enable Kernel Caching (IIS 7):
  Note: By default, kernel caching is enabled in IIS 7.
Why the hell ... by gstoddart · 2015-04-15 02:31 · Score: 4, Informative

Why oh why would you put the parsing of HTTP at the kernel level?
Why does Microsoft consistently fail to understand that if you make something inherent to the OS it becomes a bigger security risk?
This just makes no sense to me, no more than embedding IE so deeply into the OS they said they couldn't remove it.
This is the kind of stuff which needs to be in userspace, not the friggin OS.

--
Lost at C:>. Found at C.
1. Re:Why the hell ... by Just+Some+Guy · 2015-04-15 06:02 · Score: 5, Informative
  
  Why oh why would you put the parsing of HTTP at the kernel level?
  They probably saw that FreeBSD has been doing it for 15 years and thought it might be a good idea.
  
  This is the kind of stuff which needs to be in userspace, not the friggin OS.
  Apparently not everyone agrees with that.
  I'm in no way a Microsoft apologist, but it's not like a senior engineer rolled out of bed one morning, smoked some crack, and yelled "hey, let's break some crap today!" Lots of stuff is done in kernel mode in Linux and the BSDs - like all kinds of graphical mischief - and MS probably does the same things for the same reasons.
  
  --
  Dewey, what part of this looks like authorities should be involved?
Re:Don't see what the big deal is... by Anonymous Coward · 2015-04-15 05:01 · Score: 2, Informative

"Windows NT" includes basically... every Windows OS since 1993 to date; including Windows 10 that hasn't even come out yet.
So, no. It wasn't EOL'd, as you so put it.