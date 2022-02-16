Affected Platforms: Windows Server 2022, Windows Server 2019, Windows 10

Impacted Users: Any organization with affected Windows system

Impact: Denial of service to affected systems

Severity Level: High



On January 11th, 2022 Microsoft released a patch for CVE-2022-21907 as part of Microsoft's Patch Tuesday. CVE-2022-21907 attracted special attentions from industry insiders due to the claim that the vulnerability is worm-able. In this analysis we will look at the cause of the vulnerability and how attackers can exploit it.

CVE-2022-21907 is a remote code execution vulnerability in Windows' Internet Information Services (IIS) component. More specifically, it affects the kernel module inside http.sys that handles most of the IIS core operations. At a minimum, the vulnerability can lead to denial of service conditions on the victim's machine by crashing the operating system. It might also be possible to combine this vulnerability with another vulnerability to enable remote code execution.

We used Windows 2022 Server 10.0.20348.143 as the base of our analysis. IIS is also present on Windows 10. We also looked at the Windows 10 (2H 2021) http.sys and confirmed that the same vulnerable code path exists. However, since IIS is not enabled by default on Windows 10, the chance of Windows 10 systems being exploited is significantly less.

First, we performed a binary differential between the vulnerable http.sys and the patched http.sys (10.0.20348.469). The program Bindiff compared the two binary files and highlighted the functions that have been modified. While a few functions were heavily modified, we were interested in two particular functions-http!UlpAllocateFastTracker() and http!UlFastSendHttpResponse() .

(As an aside, we did our initial analysis on Windows 10 http.sys, and these two functions are the only ones patched on Windows 10.)

In http!UlpAllocateFastTracker(), we see the following differences: