Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

  1. Kemp Support
  2. Knowledge Base
  3. Content Delivery

How to Use Content switching to Mitigate against MS15-034 Vulnerability

Updated

Summary: An exploit has been found effecting IIS server MS15-034. The exploit involves using the Range Header to potentially allow remote code execution.  

Details:

It is recommended that anyone effected install the latest Microsoft patch to mitigate against this.

If you are using the Kemp Loadmaster you may also use the Content Switching feature to Block/Modify requests which trigger the vulnerability.

As the exploit involves accessing memory at "-1" location using the value 18446744073709551615, one method to block is to restrict the length of values in the range header. The following rule will match any request with a Range header which includes a value >10 digits and remove this value from the request.

Rule Name: MS15034
Rule Type: Replace Header
Header Field: Range
Match String: /(bytes\s*=)(.*?)(([0-9]){10,})(.*)/
Value of Header Field to be replaced: \1\2\4
Perform If flag Set: unset
 
Test
 
curl -v http://10.111.0.171/welcome.png -H "Host: domain.com" -H "Range: bytes = 10-18446744073709551615" -k
 
 
Client -> Loadmaster
HTTP Header
GET /welcome.png HTTP/1.1
User-Agent: curl/7.37.1
Accept: */*
Host: domain.com
Range: bytes = 10-18446744073709551615
 
Loadmaster -> Real Server
HTTP Header:
GET /welcome.png HTTP/1.1
User-Agent: curl/7.37.1
Accept: */*
Host: domain.com
Range: bytes = 10-

 
 
Test with range header values < 10 digits
 
curl -v http://10.111.0.171/welcome.png -H "Host: domain.com" -H "Range: bytes = 10-123456789" -k
 
Client -> Loadmaster
HTTP Header
GET /welcome.png HTTP/1.1
User-Agent: curl/7.37.1
Accept: */*
Host: domain.com
Range: bytes = 10-123456789
 
 
Loadmaster -> Real Server
HTTP Header:
GET /welcome.png HTTP/1.1
User-Agent: curl/7.37.1
Accept: */*
Host: domain.com
Range: bytes = 10-123456789

 
To Apply this rule:
1. Create the content rule as above
Rules & Checking-Content Rules-Create New
2. Under the Virtual Service apply as a Header modification rule
Virtual Services-View/Modify Services-Advanced Properties-Content Switching-Enable
Virtual Services-View/Modify Services-Advanced Properties-Content Switching-Enable-HTTP Header Modifications  
 
3. Apply the rule Created as a request rule. 
 
 
 
 
 

Comments

In this document