POC for CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability.
create by Malwareman at 2022-09-17.
HTTP Protocol Stack Remote Code Execution Vulnerability.
Similar to [[https://github.com/antx-code/CVE-2021-31166][CVE-2021-31166]].
This problem exists, from last year which is reported on [[https://github.com/antx-code/CVE-2021-31166][CVE-2021-31166]], and still there.
attackComplexity: LOW
attackVector: NETWORK
availabilityImpact: HIGH
confidentialityImpact: HIGH
integrityImpact: HIGH
privilegesRequired: NONE
scope: UNCHANGED
userInteraction: NONE
version: 3.1
baseScore: 9.8
baseSeverity: CRITICAL
Windows
10 Version 1809 for 32-bit Systems
10 Version 1809 for x64-based Systems
10 Version 1809 for ARM64-based Systems
10 Version 21H1 for 32-bit Systems
10 Version 21H1 for x64-based System
10 Version 21H1 for ARM64-based Systems
10 Version 20H2 for 32-bit Systems
10 Version 20H2 for x64-based Systems
10 Version 20H2 for ARM64-based Systems
10 Version 21H2 for 32-bit Systems
10 Version 21H2 for x64-based Systems
10 Version 21H2 for ARM64-based Systems
11 for x64-based Systems
11 for ARM64-based Systems
Windows Server
2019
2019 (Core installation)
2022
2022 (Server Core installation)
version 20H2 (Server Core Installation)
[[./CVE-2022-21907.py][Poc]]
Windows Server 2019 and Windows 10 version 1809 are not vulnerable by default. Unless you have enabled the HTTP Trailer Support via EnableTrailerSupport registry value, the systems are not vulnerable.
Delete the DWORD registry value "EnableTrailerSupport" if present under:
#+begin_src bash
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
#+end_src
This mitigation only applies to Windows Server 2019 and Windows 10, version 1809 and does not apply to the Windows 20H2 and newer.
How could an attacker exploit this vulnerability?
In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets.
Is this wormable?
Yes. Microsoft recommends prioritizing the patching of affected servers.
Windows 10, Version 1909 is not in the Security Updates table. Is it affected by this vulnerability?
No, the vulnerable code does not exist in Windows 10, version 1909. It is not affected by this vulnerability.
Is the EnableTrailerSupport registry key present in any other platform than Windows Server 2019 and Windows 10, version 1809?
No, the registry key is only present in Windows Server 2019 and Windows 10, version 1809
Ref-Risk
[[https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907][HTTP Protocol Stack Remote Code Execution Vulnerability]]
[[https://nvd.nist.gov/vuln/detail/CVE-2022-21907][NVD<CVE-2022-21907>]]