Waiting Is the Hardest Part: A Purple Team’s Take on MS15-034

Mick Douglas //

Current Status:

– MS15-034 has remote Denial of Service (DoS)

– Remote exploit code appears to be ready soon… maybe.  Stay tuned.

BLUE TEAM MARCHING ORDERS:

– Patch. Now. Please.

– Pay *very* careful attention to your IIS logs for systems that are attacking or attempting the DoS.  You are being profiled.  Vulnerable servers will be the targets of attacks once working exploit code is released.

RED TEAM MARCHING ORDERS:

– Keep your eyes and ears open.

– Help explain the risks to folks in your org who don’t get the gravity of this.

Details:

Despite a poor reputation for security, for the last few years, Microsoft has been doing an amazing job on the security front.  It’s been about seven years since we had a remote code execution exploit publicly available for Windows…. and it looks like MS15-034 will likely be the end of that streak.

This is an attack against IIS and other web services that make use of HTTP.sys.  This vulnerability is exploited by attackers who send specially crafted HTTP requests.  At the time of this writing, most of the attack tools released for this vulnerability ‘simply’ create a denial of service by crashing the listening web service or the server’s OS.  Since “availability” is part of the CIA (Confidentiality, Integrity, and Availability) triad, this is a big deal… But it’s likely about to get much worse.

There are newer variants of this attack that appear to be moving beyond the realm of simple DoS and are instead injecting executable code directly into memory. Hint: this isn’t good.  What’s worse is that this code will be run with System privileges.  There are no accounts that have a higher level of access on a Windows system.  Having random folks from the internet running code of their choice on your server is probably not a good thing.  We at BHIS encourage you to NOT take the approach Blanche duBois from “A Streetcar Named Desire” did: “I’ve always depended on the kindness of strangers.”

What makes this such a serious issue is that attacking web services is an attack against the raison d’etre for these systems.  This means your external firewall *must* allow access to the very service that’s vulnerable.  D’oh!

Because this vulnerability is such a tempting target, everyone who’s got an iota of exploit development skill is working feverishly on this.   Not only is there lasting fame and fortune for the winner of this race, there’s a SUBSTANTIAL amount money at stake.  If there’s one thing we’ve learned from the movies, it’s love conquers all.  Wait, not that.  Greed is good.  So show me the money!