Thursday, April 16, 2015

How to test for Critical Microsoft IIS Vulnerabilty (MS15-034) Allow Remote Code Execution

Critical Microsoft IIS Vulnerabilty (MS15-034) released April 14, 2015

Allows is a vulnerability in HTTP.sys Could Allow Remote Code Execution on unpatched IIS, on all Windows x64 systems affected. 

Full details of the security bulltein provided by Microsoft at

This vulnerability can allow a remote and unauthenticated denial of service (DoS) and a possible remote code execution (RCE). An attacker sends a specially crafted http request with the correct header to exploit it.

To identify if your Windows server is vulnerable, run the following command under another another Unix/Linux/Mac bash shell. Substitute your windows machine up address with SERVER_IP. 

If you get the following response then it’s vulnerable:

In fact if any part of the response contains "Requested Range Not Satisfiable" then you are vulnerable, whether its a header response as HTTP/1.1 416 Requested Range Not Satisfiable or wrapped in HTML tags.

The stated temporary workaround in the bulletin is to “Disable IIS kernel caching”, in IIS, until you get patched. 

Play safe my friends.

No comments:

Post a Comment