CVE-2022-21907

Description

• POC for CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability.
• create by antx at 2022-01-17, just some small fixes by Michele “[email protected]”

Detail

• HTTP Protocol Stack Remote Code Execution Vulnerability.
• Similar to CVE-2021-31166.
• This problem exists, from last year which is reported on CVE-2021-31166, and still there.

CVE Severity

• attackComplexity: LOW
• attackVector: NETWORK
• availabilityImpact: HIGH
• confidentialityImpact: HIGH
• integrityImpact: HIGH
• privilegesRequired: NONE
• scope: UNCHANGED
• userInteraction: NONE
• version: 3.1
• baseScore: 9.8
• baseSeverity: CRITICAL

Affect

• Windows
  • 10 Version 1809 for 32-bit Systems
  • 10 Version 1809 for x64-based Systems
  • 10 Version 1809 for ARM64-based Systems
  • 10 Version 21H1 for 32-bit Systems
  • 10 Version 21H1 for x64-based System
  • 10 Version 21H1 for ARM64-based Systems
  • 10 Version 20H2 for 32-bit Systems
  • 10 Version 20H2 for x64-based Systems
  • 10 Version 20H2 for ARM64-based Systems
  • 10 Version 21H2 for 32-bit Systems
  • 10 Version 21H2 for x64-based Systems
  • 10 Version 21H2 for ARM64-based Systems
  • 11 for x64-based Systems
  • 11 for ARM64-based Systems
• Windows Server
  • 2019
  • 2019 (Core installation)
  • 2022
  • 2022 (Server Core installation)
  • version 20H2 (Server Core Installation)

POC

• Poc

Mitigations

• Windows Server 2019 and Windows 10 version 1809 are not vulnerable by default. Unless you have enabled the HTTP Trailer Support via EnableTrailerSupport registry value, the systems are not vulnerable.
• Delete the DWORD registry value “EnableTrailerSupport” if present under:

  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
      

• This mitigation only applies to Windows Server 2019 and Windows 10, version 1809 and does not apply to the Windows 20H2 and newer.

FAQ

• How could an attacker exploit this vulnerability?
  • In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets.
• Is this wormable?
  • Yes. Microsoft recommends prioritizing the patching of affected servers.
• Windows 10, Version 1909 is not in the Security Updates table. Is it affected by this vulnerability?
  • No, the vulnerable code does not exist in Windows 10, version 1909. It is not affected by this vulnerability.
• Is the EnableTrailerSupport registry key present in any other platform than Windows Server 2019 and Windows 10, version 1809?
  • No, the registry key is only present in Windows Server 2019 and Windows 10, version 1809

Reference

• Ref-Source
  • https://github.com/mauricelambert/CVE-2022-21907
  • https://github.com/nu11secur1ty/Windows10Exploits/tree/master/2022/CVE-2022-21907
• Ref-Risk
  • HTTP Protocol Stack Remote Code Execution Vulnerability
  • NVD
• CVE
  • CVE-2022-21907
  • CVE-2022-21907
• Ref-Related
  • CVE-2021-31166