A security researcher has released proof-of-concept exploit code for a critical wormable vulnerability (opens in new tab) found in the latest versions of Windows 10 (opens in new tab) and Windows server.
The vulnerability, tracked as CVE-2021-3166 (opens in new tab), was first discovered in the HTTP Protocol Stack (HTTP.sys) used by the Windows Internet Information Services (IIS) web server as a protocol listener for processing HTTP requests, according to BleepingComputer (opens in new tab).
In order to exploit this vulnerability though, an attacker would have to send a specially crafted packet to servers still using the vulnerable HTTP Protocol Stack to process packets. Thankfully though, Microsoft recently patched the flaw as part of its recent Patch Tuesday (opens in new tab) updates and the vulnerability only affects Windows 10 versions 2004/20H2 and Windows Server versions 2004/20H2.
- We've built a list of the best endpoint protection software (opens in new tab)
- These are the best firewalls (opens in new tab) on the market
- Also check out our roundup of the best Windows 10 VPN (opens in new tab)
As this bug could allow an unauthenticated attacker to remotely execute arbitrary code, Microsoft strongly recommends that organizations patch all affected servers as soon as possible.
Proof-of-concept exploit code
Security researcher Alex Souchet has released proof-of-concept (PoC) exploit code which lacks auto-spreading capabilities to show how a threat actor could leverage CVE-2021-3166 to launch attacks on vulnerable Windows 10 systems and servers.
By abusing a use-after-free dereference in HTTP.sys, Souchet's exploit is able to trigger a denial of service (DoS) that then leads to a blue screen of death (BSoD (opens in new tab)) on vulnerable systems. He provided further details on how his exploit works in a new post (opens in new tab) on GitHub (opens in new tab), saying:
“The bug itself happens in http!UlpParseContentCoding where the function has a local LIST_ENTRY and appends item to it. When it's done, it moves it into the Request structure; but it doesn't NULL out the local list. The issue with that is that an attacker can trigger a code-path that frees every entries of the local list leaving them dangling in the Request object.”
Although releasing a PoC exploit (opens in new tab) for this vulnerability could make it easier for cybercriminals to develop their own exploits, the fact that this vulnerability has already been patched by Microsoft and rolled out in the latest round of Windows 10 updates means that most systems are likely safe from attacks.
However, if you haven't installed the latest Windows 10 updates from Microsoft yet, now is the time to do so to prevent falling victim to any potential attacks leveraging this vulnerability.
- We've also highlighted the best antivirus (opens in new tab)
Via BleepingComputer (opens in new tab)