Lync (serious) vulnerable and exploited without MS15-034

The recent MS15-034 security update addresses a vulnerability on how the Windows HTTP stack (http.sys) handles requests.
Although you affected Operating System component is related to IIS, there are many applications that can rely on Windows HTTP stack. And Lync is one of them !
How serious is this vulnerability and why you should patch immediately?

  • It can be used for DoS attacks, but there’s a chance to be used to run code remotly
  • Any user can run an exploit of some type without any special permissions and good knowledge;
    Can be just a simple copy > paste code (see PoC)
  • Your Lync front-end servers can be exploited by an internet attacker, if the reverse proxy role (and/or the firewall) cannot detect and intercept the exploit attempts.

What Lync ‘roles’ are affected?:

  • Front-End – There’s a lot of applications/pools that can be exploited
  • Edge server – not affected from the outside. But the internal DMZ replica service (typically 4443) can be exploited
  • Persistent chat – not affected
  • (SQL) Monitoring reports – affected
  • Office Web Apps – affected

To show you how easy the exploit can be built and run, here’s a simple Proof of concept. I just needed 10 minutes to find a possible http request and run cURL on an internal PC without any admin rights:

exploiting-pcThe server running Lync will stop responding and (if you are fast enough) you will see the operation system generating a dump report, before restarting.

exploited-server

An exploited server will also display a MER message when you logon to it:

post-exploited-server

You might want to look carefully for Lync and other collocated applications that can also allow an exploit. This command can be used to determine what is relying on http:
netsh http show servicestate | find “://”

So it’s better to start patching all windows operating system on you network… fast

Additional references:

Advertisements

2 thoughts on “Lync (serious) vulnerable and exploited without MS15-034

  1. soder 21/04/2015 / 08:41

    curl -v 10.0.1.1/iis-85.png -H “Host: irrelevant” -H “Range: bytes=20-18446744073709551615”

    On unpached system this does not do anything at all. Definitely no BSOD. I suspect some extra parameter which is needed for this 1-shot kill to work is omitted from the public reports on purpose.

  2. LuisR 22/04/2015 / 12:39

    I didn’t want to publish the exploit code to avoid some ‘curious/funny’ users to start just trying to annoy the Lync admins around the world.
    Tip: to get the code to work you need a valid/working url 😉

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s