Use Content switching to Mitigate against MS15-034 Vulnerability

Summary: An exploit has been found effecting IIS server MS15-034. The exploit involves using the Range Header to potentially allow remote code execution.  

Details:

It is recommended that anyone effected install the latest Microsoft patch to mitigate against this.

If you are using the Kemp Loadmaster you may also use the Content Switching feature to Block/Modify requests which trigger the vulnerability.

As the exploit involves accessing memory at "-1" location using the value 18446744073709551615, one method to block is to restrict the length of values in the range header. The following rule will match any request with a Range header which includes a value >10 digits and remove this value from the request.

Rule Name: MS15034
Rule Type: Replace Header
Header Field: Range
Match String: /(bytes\s*=)(.*?)(([0-9]){10,})(.*)/
Value of Header Field to be replaced: \1\2\4
Perform If flag Set: unset
 
Test
 
curl -v http://10.111.0.171/welcome.png -H "Host: domain.com" -H "Range: bytes = 10-18446744073709551615" -k
 
 
Client -> Loadmaster
HTTP Header
GET /welcome.png HTTP/1.1
User-Agent: curl/7.37.1
Accept: */*
Host: domain.com
Range: bytes = 10-18446744073709551615
 
Loadmaster -> Real Server
HTTP Header:
GET /welcome.png HTTP/1.1
User-Agent: curl/7.37.1
Accept: */*
Host: domain.com
Range: bytes = 10-

 
 
Test with range header values < 10 digits
 
curl -v http://10.111.0.171/welcome.png -H "Host: domain.com" -H "Range: bytes = 10-123456789" -k
 
Client -> Loadmaster
HTTP Header
GET /welcome.png HTTP/1.1
User-Agent: curl/7.37.1
Accept: */*
Host: domain.com
Range: bytes = 10-123456789
 
 
Loadmaster -> Real Server
HTTP Header:
GET /welcome.png HTTP/1.1
User-Agent: curl/7.37.1
Accept: */*
Host: domain.com
Range: bytes = 10-123456789

 
To Apply this rule:
1. Create the content rule as above
Rules & Checking-Content Rules-Create New
2. Under the Virtual Service apply as a Header modification rule
Virtual Services-View/Modify Services-Advanced Properties-Content Switching-Enable
Virtual Services-View/Modify Services-Advanced Properties-Content Switching-Enable-HTTP Header Modifications  
 
3. Apply the rule Created as a request rule. 
 
 
 
 
 
Was this article helpful?

0 out of 0 found this helpful

Comments