[PoC] CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability Alert

by do son · Published · Updated

CVE-2022-21907
According to the latest announcement issued by the Microsoft Security Response Center, Microsoft has fixed high-severity vulnerabilities in Windows Server and Windows 10/11 in the latest cumulative update. This vulnerability is numbered CVE-2022-21907, and it is currently known that this vulnerability can be exploited by sending specially crafted packets to exploit the HTTP protocol stack to launch an attack. In view of the high harm of this vulnerability, Microsoft has not released detailed instructions and proof of concept. It is estimated that Microsoft will not release the information until most companies have completed the repair.

This vulnerability affects all versions of Windows 10 Version 1809 and above, including Windows Server 2019/2022. Microsoft said that companies should prioritize fixing server vulnerabilities, and at the same time, the vulnerability can become a worm type, that is, after infection, the virus can spread laterally on the intranet. At present, the latest cumulative update released by Microsoft has successfully fixed this vulnerability, and the affected operating system only needs to install the latest cumulative update and restart. As for how the vulnerability could be exploited, Microsoft said an attacker would simply use a specially crafted packet to send to the target server, and the vulnerability would be triggered when the protocol stack processes the data. The protocol stack here refers to the HTTP protocol stack (corresponding to http.sys). The vulnerability CVSS score is 8.5. Microsoft said that CVE-2022-21907 is very easy to be exploited.

Enterprise administrators can also use the registry to disable certain inactive features to improve security if the latest cumulative update cannot be installed in a timely manner to fix the vulnerability. This mitigation applies to Windows Server version 2019 and specifically disables the Trailer interface via the registry, which is used for HTTP header functionality.

In Windows Server 2019 and Windows 10 version 1809, the the HTTP Trailer Support feature that contains the vulnerability is not active by default. The following registry key must be configured to introduce the vulnerable condition:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\

“EnableTrailerSupport”=dword:00000001

Update:

On January, 17th, 2022, antx releases PoC for this vulnerability.

Tags: CVE-2022-21907