9

Windows kernel level HTTP driver http.sys is affected by remote code execution vulnerability (MS15-034).

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system.

This security update is rated Critical for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

What's not clear to me is if http.sys would be running and listening on a Windows machine, which does not have web server installed?

Post on installing nginx on Windows would suggest that http.sys is running regardless. Is that the case or would it be disabled by default on desktop Windows versions?

DarkLighting
  • 1,523
  • 11
  • 16
vartec
  • 259
  • 2
  • 8

2 Answers2

5

IIS is one of many applications that get HTTP requests passed to it from HTTP.sys, so HTTP.sys can be loaded without IIS running or even being installed.

Windows implements an HTTP listener as part of the network subsystem via a kernel mode driver (HTTP.sys). HTTP.sys is what's actually listening for HTTP requests and passing it on to the application responsible for processing the request (e.g. IIS/WinRM, etc.). It's also responsible for passing the HTTP response back to the client application (e.g. web browser, powershell, etc.). Hypertext Transfer Protocol Stack (HTTP.sys)

Examples of applications/services using HTTP.sys: ADFS, Powershell Remoting (uses WinRM), SSDP (Simple Service Discovery Protocol), UPnP (Universal Plug and Play), Web Application Proxy, Win Media Extender, WinRM (Windows Remote Management)

Note that you can run netsh http show servicestate to see what is using HTTP.sys.

phiz
  • 306
  • 1
  • 6
2

This reddit give us some information based in the reported exploits. As you may see, it is a problem regarding validation in the "Range" HTTP Header. Some users reported getting immediate BSoD after issuing the mentioned requests to their web servers.

Correction: So, as it seems, you do NOT have to be running IIS to be affected by this vulnerability.

EDIT:

One of the posts says:

"HTTP.sys is a driver used in lots of stuff not just IIS. I'm still tracking it down client side but from initial investigation, SSDP, UPnP, WinRM, Powershell Remoting, Win Media Extender..."

Someone even said:

Suspect ADFS as well.

edit: Yes, bluescreen possible.

And to make things worse, the problem lies in the kernel, as stated in the official workaround in the bulletin.

Community
  • 1
DarkLighting
  • 1,523
  • 11
  • 16
  • 1
    One of the post in thread reads *"HTTP.sys is a driver used in lots of stuff not just IIS. I'm still tracking it down client side but from initial investigation, SSDP, UPnP, WinRM, Powershell Remoting, Win Media Extender..."* – vartec Apr 16 '15 at 22:13
  • Please review: https://news.ycombinator.com/item?id=9378449 – k1DBLITZ Apr 17 '15 at 13:09