Mitigating Remote Code Execution in "HTTP.sys" (CVE-2015-1635)

A critical Windows vulnerability in its HTTP stack ("HTTP.sys"), which was resolved in a recent Microsoft's Patch Tuesday release, could allow remote attackers to execute code on an IIS server with the privileges of the System account. A Proof-of-Concept code to check the existence of this vulnerability was soon to follow. Remote attackers could exploit the way "HTTP.sys" parses requests with a Range header including a very large byte range to crash the server or potentially run their shellcode.



                                                                                POC Information



                                                                    Bug details according to the POC


More details on the available patch could be found in Microsoft’s security builletin MS15-034:


Following user-defined signature will detect and mitigate attempts to exploit this vulnerability while using ASM.

ASM versions including and above 11.2.x:

headercontent: "range"; nocase; re2:"/bytes\s*=.*?[0-9]{10,}\b/Hi";


ASM versions including and below 11.1.x:

headercontent: "range"; nocase; pcre:"/bytes\s*=.*?[0-9]{10,}\b/Hi";

Published Apr 15, 2015
Version 1.0

Was this article helpful?


  • HI Maxim, As a beginner, can you explain me how to implement this solution in the ASM (BIGIP 10.2.4)
  • Maxim_Zavodchik's avatar
    Historic F5 Account
  • Additonal mitigations have been published: Using iRules - Using LineRate -