The vulnerability, tracked as CVE-2021-3166, was first discovered in the HTTP Protocol Stack (HTTP.sys) used by the Windows Internet Information Services (IIS) web server as a protocol listener for processing HTTP requests, according to BleepingComputer.
In order to exploit this vulnerability though, an attacker would have to send a specially crafted packet to servers still using the vulnerable HTTP Protocol Stack to process packets. Thankfully though, Microsoft recently patched the flaw as part of its recent Patch Tuesday updates and the vulnerability only affects Windows 10 versions 2004/20H2 and Windows Server versions 2004/20H2.
As this bug could allow an unauthenticated attacker to remotely execute arbitrary code, Microsoft strongly recommends that organizations patch all affected servers as soon as possible.
Proof-of-concept exploit code
Security researcher Alex Souchet has released proof-of-concept (PoC) exploit code which lacks auto-spreading capabilities to show how a threat actor could leverage CVE-2021-3166 to launch attacks on vulnerable Windows 10 systems and servers.
By abusing a use-after-free dereference in HTTP.sys, Souchet’s exploit is able to trigger a denial of service (DoS) that then leads to a blue screen of death (BSoD) on vulnerable systems. He provided further details on how his exploit works in a new post on GitHub, saying:
“The bug itself happens in http!UlpParseContentCoding where the function has a local LIST_ENTRY and appends item to it. When it’s done, it moves it into the Request structure; but it doesn’t NULL out the local list. The issue with that is that an attacker can trigger a code-path that frees every entries of the local list leaving them dangling in the Request object.”
Although releasing a PoC exploit for this vulnerability could make it easier for cybercriminals to develop their own exploits, the fact that this vulnerability has already been patched by Microsoft and rolled out in the latest round of Windows 10 updates means that most systems are likely safe from attacks.
However, if you haven’t installed the latest Windows 10 updates from Microsoft yet, now is the time to do so to prevent falling victim to any potential attacks leveraging this vulnerability.