cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Maxim_Zavodchik
Historic F5 Account

A critical Windows vulnerability in its HTTP stack ("HTTP.sys"), which was resolved in a recent Microsoft's Patch Tuesday release, could allow remote attackers to execute code on an IIS server with the privileges of the System account. A Proof-of-Concept code to check the existence of this vulnerability was soon to follow. Remote attackers could exploit the way "HTTP.sys" parses requests with a Range header including a very large byte range to crash the server or potentially run their shellcode.

http://www.exploit-db.com/exploits/36773/

 

                        

                                                                                POC Information

 

                        

                                                                    Bug details according to the POC

 

More details on the available patch could be found in Microsoft’s security builletin MS15-034:

https://technet.microsoft.com/library/security/MS15-034

 

Following user-defined signature will detect and mitigate attempts to exploit this vulnerability while using ASM.

ASM versions including and above 11.2.x:

headercontent: "range"; nocase; re2:"/bytes\s*=.*?[0-9]{10,}\b/Hi";

 

ASM versions including and below 11.1.x:

headercontent: "range"; nocase; pcre:"/bytes\s*=.*?[0-9]{10,}\b/Hi";

Comments
Tarik_B_
Nimbostratus
Nimbostratus
HI Maxim, As a beginner, can you explain me how to implement this solution in the ASM (BIGIP 10.2.4)
Maxim_Zavodchik
Historic F5 Account
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/config_guide_asm_10_2_0/asm_attack_sigs.html1047564
MegaZone
F5 Employee
F5 Employee
Additonal mitigations have been published: Using iRules - https://devcentral.f5.com/s/articles/using-irules-to-mitigate-microsofts-ms15-034-cve-2015-1635-range-vulnerability Using LineRate - https://devcentral.f5.com/s/articles/linerate-range-header-attack-mitigation
Version history
Last update:
‎15-Apr-2015 11:42
Updated by:
Contributors