Windows PoC Exploit Released For The Most Critical Wormable RCE in HTTP Protocol Stack

Recently cybersecurity scientists has just recently found a serious vulnerability in the IIS (Internet Information Services) of Windows. Microsoft has just recently fixed this important vulnerability in patch Tuesday released in 12 may, and its tracked as CVE-2021-31166.

Lots of security specialists and security companies have declared that this vulnerability is one of the most crucial security flaws that have been spotted and repaired by Microsoft this month.

HTTP Protocol Stack RCE Vulnerability

Axel Suchet claimed since the capabilities of the HTTP Protocol Stack RCE defect are artificially restricted, so, it is most likely that many of the prospective targets are safe from such attacks.

In general, this HTTP Protocol Stack is utilized by the Windows IIS (Internet Information Services) server, so, the security expert, Axel Souchet, who utilized to work for Microsoft has explained that if this server is active, then an assaulter can easily send it a specially crafted packet to perform harmful code at the OS kernel level.

However, apart from all these things, the security group at Microsoft has highly suggested all its users to set up all the security updates released on an instant basis.

This security defect is quite similar to another Microsoft vulnerability that was spotted in the HTTP network stack. It was tracked as CVE-2015-1635 and identified or reported by the security experts in 2015.

CVE ID: CVE-2021-31166
Appointing CNA: Microsoft
Released: May 11, 2021
CVSS: 3.0 (9.8 out of 10).

To show the defect in action the former Microsoft security researcher, Axel Suchet published a PoC make use of for CVE-2021-31166 (” HTTP Protocol Stack Remote Code Execution Vulnerability”).

While this security flaw just impacts the latest OS versions like Windows 10 2004 and 20H2, as well as Windows Server 2004 and 20H2, and all these versions are not yet extremely extensive.

The vulnerability CVE-2021-31166 does not permit the solution of a full-fledged worm, and it only leads to a “crash” (DoS) of unpatched Windows variations that are running the IIS server.

It implies that an enemy can quickly leave all the entries of the local list in a hanging state in the Request object by triggering the code path that unlocks all the entries of the local list.

Possible targets are safe from attacks.

This critical flaw (CVE-2021-31166) belongs to corruption of details in the memory of the HTTP procedure stack (HTTP.sys) that is currently consisted of in all the current variations of Windows.

It becomes even worse when Microsoft alerted that this RCE vulnerability has the capacity of a worm, as it can be utilized by the risk stars to create malware that spreads itself from server to server.

PoC for CVE-2021-31166 sets off Blue Screen of Death (BSOD).

And here the intriguing thing is that it does not NULL out the local list (LIST_ENTRY) after it moves it into the Request structure when it is done.

From the above image, you can see the flaw in action, and how this critical defect sets off the Blue Screen of Death (BSOD). Here, Axel discusses that where the function has a local LIST_ENTRY, this bug occurs itself in the “http!UlpParseContentCoding” and after that it attach the item to it.