Vulnerabilities > CVE-2015-1635 - Code Injection vulnerability in Microsoft products

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

microsoft

CWE-94

critical

nessus

exploit available

metasploit

NVD

Published: 2015-04-14

Updated: 2019-05-14

Summary

HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows 7 - Microsoft Windows 8 - Microsoft Windows 8.1 - Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 - Microsoft Windows Server 2012 R2	7

Common Weakness Enumeration (CWE)

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Common Attack Pattern Enumeration and Classification (CAPEC)

Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Exploit-Db

description	Microsoft Window - HTTP.sys PoC (MS15-034). CVE-2015-1635. Dos exploit for windows platform
file	exploits/windows/dos/36773.c
id	EDB-ID:36773
last seen	2016-02-04
modified	2015-04-15
platform	windows
port
published	2015-04-15
reporter	rhcp011235
source	https://www.exploit-db.com/download/36773/
title	Microsoft Window - HTTP.sys PoC MS15-034
type	dos

description	MS Windows (HTTP.sys) - HTTP Request Parsing DoS (MS15-034). CVE-2015-1635. Dos exploit for windows platform
file	exploits/windows/dos/36776.py
id	EDB-ID:36776
last seen	2016-02-04
modified	2015-04-16
platform	windows
port	80
published	2015-04-16
reporter	laurent gaffie
source	https://www.exploit-db.com/download/36776/
title	MS Windows HTTP.sys - HTTP Request Parsing DoS MS15-034
type	dos

Metasploit

description	This module will check if scanned hosts are vulnerable to CVE-2015-1635 (MS15-034), a vulnerability in the HTTP protocol stack (HTTP.sys) that could result in arbitrary code execution. This module will try to cause a denial-of-service.
id	MSF:AUXILIARY/DOS/HTTP/MS15_034_ULONGLONGADD
last seen	2019-11-22
modified	2019-03-05
published	2015-04-15
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635 http://pastebin.com/ypURDPc4 https://github.com/rapid7/metasploit-framework/pull/5150 https://community.qualys.com/blogs/securitylabs/2015/04/20/ms15-034-analyze-and-remote-detection http://www.securitysift.com/an-analysis-of-ms15-034/
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
title	MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service

description	This module dumps memory contents using a crafted Range header and affects only Windows 8.1, Server 2012, and Server 2012R2. Note that if the target is running in VMware Workstation, this module has a high likelihood of resulting in BSOD; however, VMware ESX and non-virtualized hosts seem stable. Using a larger target file should result in more memory being dumped, and SSL seems to produce more data as well.
id	MSF:AUXILIARY/SCANNER/HTTP/MS15_034_HTTP_SYS_MEMORY_DUMP
last seen	2020-01-25
modified	2018-11-21
published	2015-06-23
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635 http://pastebin.com/ypURDPc4 https://github.com/rapid7/metasploit-framework/pull/5150 https://community.qualys.com/blogs/securitylabs/2015/04/20/ms15-034-analyze-and-remote-detection http://www.securitysift.com/an-analysis-of-ms15-034/ http://securitysift.com/an-analysis-of-ms15-034/
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
title	MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure

Msbulletin

bulletin_id	MS15-034
bulletin_url
date	2015-04-14T00:00:00
impact	Remote Code Execution
knowledgebase_id	3042553
knowledgebase_url
severity	Critical
title	Vulnerability in HTTP.sys Could Allow Remote Code Execution

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS15-034.NASL
description	The version of Windows running on the remote host is affected a vulnerability in the HTTP protocol stack (HTTP.sys) due to improperly parsing crafted HTTP requests. A remote attacker can exploit this to execute arbitrary code with System privileges.
last seen	2020-06-01
modified	2020-06-02
plugin id	82771
published	2015-04-14
reporter	This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/82771
title	MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(82771); script_version("1.8"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id("CVE-2015-1635"); script_bugtraq_id(74013); script_xref(name:"MSFT", value:"MS15-034"); script_xref(name:"MSKB", value:"3042553"); script_xref(name:"IAVA", value:"2015-A-0092"); script_name(english:"MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553)"); script_summary(english:"Checks the file version of HTTP.sys."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host is affected by a vulnerability in the HTTP protocol stack."); script_set_attribute(attribute:"description", value: "The version of Windows running on the remote host is affected a vulnerability in the HTTP protocol stack (HTTP.sys) due to improperly parsing crafted HTTP requests. A remote attacker can exploit this to execute arbitrary code with System privileges."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-034"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 7, 2008 R2, 8, 8.1, 2012, and 2012 R2"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/14"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/14"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS15-034'; kb = '3042553'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 8.1 / Windows Server 2012 R2 / Windows Server 2012 R2 (Server Core installation) hotfix_is_vulnerable(os:"6.3", sp:0, file:"http.sys", version:"6.3.9600.17712", min_version:"6.3.9600.16000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) \|\| # Windows 8 / Windows Server 2012 / Windows Server 2012 (Server Core installation) hotfix_is_vulnerable(os:"6.2", sp:0, file:"http.sys", version:"6.2.9200.21401", min_version:"6.2.9200.20000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.2", sp:0, file:"http.sys", version:"6.2.9200.17285", min_version:"6.2.9200.16000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) \|\| # Windows 7 / Server 2008 R2 hotfix_is_vulnerable(os:"6.1", sp:1, file:"http.sys", version:"6.1.7601.22976", min_version:"6.1.7601.22000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.1", sp:1, file:"http.sys", version:"6.1.7601.18772", min_version:"6.1.7600.16000", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ) { set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

NASL family	Windows
NASL id	MS15-034.NASL
description	The version of Windows running on the remote host is affected by an integer overflow condition in the HTTP protocol stack (HTTP.sys) due to improper parsing of crafted HTTP requests. An unauthenticated, remote attacker can exploit this to execute arbitrary code with System privileges.
last seen	2020-06-01
modified	2020-06-02
plugin id	82828
published	2015-04-16
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/82828
title	MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553) (uncredentialed check)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(82828); script_version("1.12"); script_cvs_date("Date: 2019/09/23 17:26:04"); script_cve_id("CVE-2015-1635"); script_bugtraq_id(74013); script_xref(name:"MSFT", value:"MS15-034"); script_xref(name:"IAVA", value:"2015-A-0092"); script_xref(name:"EDB-ID", value:"36773"); script_xref(name:"EDB-ID", value:"36776"); script_xref(name:"MSKB", value:"3042553"); script_name(english:"MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553) (uncredentialed check)"); script_summary(english:"Checks response from HTTP.sys."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host is affected by a remote code execution vulnerability in the HTTP protocol stack."); script_set_attribute(attribute:"description", value: "The version of Windows running on the remote host is affected by an integer overflow condition in the HTTP protocol stack (HTTP.sys) due to improper parsing of crafted HTTP requests. An unauthenticated, remote attacker can exploit this to execute arbitrary code with System privileges."); # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-034 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c5d803b6"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 7, 2008 R2, 8, 8.1, 2012, and 2012 R2"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-1635"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/14"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/16"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("os_fingerprint.nasl", "http_version.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/www",80, 443); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); function possible_middlebox(port) { local_var banner, list, p; list = get_kb_list('Services/www'); if(list) { list = make_list(list); foreach p (list) { if (p == port) continue; banner = get_http_banner(port:p); if('BigIP' >< banner) return TRUE; } } return FALSE; } # Check OS os = get_kb_item("Host/OS"); if ("Microsoft Windows Server 2008 R2" >!< os && "Microsoft Windows Server 2012" >!< os && "Microsoft Windows 8" >!< os && "Microsoft Windows 7" >!< os) audit(AUDIT_OS_NOT,"Microsoft Windows 7 / 2008 R2 / 8 / 8.1 / 2012 / 2012 R2"); # Check for IIS only # WinRM and PowerShell Remoting don't seem to be vulnerable according to # https://twitter.com/Lee_Holmes/status/588464652708806656 port = get_http_port(default:80); banner = get_http_banner(port:port); if ("Microsoft-IIS" >!< banner) exit(0, "The web server listening on port " + port + " does not appear to be Microsoft IIS."); # # Skip testing if scanning through a 'middle box' # if (possible_middlebox(port:port)) { exit(0, "The remote host may be scanned through a 'middle box' which could produce unreliable scan results. Skipped testing the web server listening on port " + port + "."); } r = http_send_recv3(port: port, item: "/", method: "GET", add_headers: make_array("Range", "bytes=0-18446744073709551615")); if(isnull(r[0])) audit(AUDIT_RESP_NOT, port); if (r[0] =~ "^HTTP/[0-9.]+ +(416\|302\|301\|307\|200\|401)") { # Paranoid due to potential FP when scanning through otherwise # undetectable loadbalancer. if (report_paranoia < 2) audit(AUDIT_PARANOID); extra = 'HTTP response status: ' + r[0]; security_report_v4(port: port, severity: SECURITY_HOLE, extra: extra); } else if (r[0] =~ "^HTTP/[0-9.]+ +400") { audit(AUDIT_HOST_NOT, 'affected'); } else { exit(1, "Unexpected HTTP response status from remote port "+ port+ ": " + r[0]); }

Packetstorm

data source	https://packetstormsecurity.com/files/download/131463/ms15-034.txt
id	PACKETSTORM:131463
last seen	2016-12-05
published	2015-04-16
reporter	rhcp011235
source	https://packetstormsecurity.com/files/131463/Microsoft-Windows-HTTP.sys-Proof-Of-Concept.html
title	Microsoft Windows HTTP.sys Proof Of Concept

Seebug

bulletinFamily	exploit
description	<h4><strong></strong>一、漏洞概要<strong></strong></h4><p> </p><p>2015年04月14日，微软发布严重级别的安全公告 MS15-034，编号为 CVE-2015-1635，据称在 Http.sys  中的漏洞可能允许远程执行代码。</p><ul><li><strong> 漏洞描述</strong></li></ul><p>Http.sys 是一个位于 Windows 操作系统核心组件，能够让任何应用程序通过它提供的接口，以 Http 协议进行信息通讯。微软在 Windows 2003 Server 里引进了新的 HTTP API 和内核模式驱动 Http.sys，目的是使基于 Http 服务的程序更有效率。其实在 Windows XP 安装 SP2 后，Http.sys 已经出现在系统里了，但事实上操作系统并没有真的使用这个内核级驱动，而 XP 上自带的 IIS 5.1 也没有使用 HTTP API。</p><p>从曝出的 POC 来看，此漏洞是一个整数溢出类型的漏洞，微软安全公告称最大安全影响是远程执行代码。</p><ul><li><strong>漏洞影响</strong></li></ul><p>受影响版本：</p><p>IIS 7.0以上的Windows 7/8/8.1和Windows Server 2008 R2/Server 2012/Server 2012 R2等操作系统。</p><ul><li><strong>漏洞分析</strong></li></ul><p>根据补丁比较发现，POC 中提到的代码出现在 UlpParseRange 函数中修改的部分。</p><p>在未打补丁的 Http.sys 文件的 UlpParseRange 函数中，代码如下。</p><p><img src="http://blog.knownsec.com/wp-content/uploads/2015/04/4.171.jpg" alt="4.171" height="294" width="358"></p><p><img src="http://blog.knownsec.com/wp-content/uploads/2015/04/4.172.jpg" alt="4.172" height="35" width="536"></p><p>可以看到，在计算 64 位整数时直接进行了运算，没有进行必要的整数溢出检查。</p><p>而在打补丁的 Http.sys 文件的 UlpParseRange 函数中，修改代码如下。</p><p><img src="http://blog.knownsec.com/wp-content/uploads/2015/04/4.173.jpg" alt="4.173" height="284" width="340"></p><p><img src="http://blog.knownsec.com/wp-content/uploads/2015/04/4.174.jpg" alt="4.174" height="20" width="649"></p><p>用 RtlULongLongAdd 函数来计算 Range 范围长度 v18，这个函数中是做了整数溢出检查的。</p><p><img src="http://blog.knownsec.com/wp-content/uploads/2015/04/4.175.jpg" alt="4.175" height="323" width="792"></p><p>再看一下对 RtlULongLongAdd 函数的调用情况。</p><p><img src="http://blog.knownsec.com/wp-content/uploads/2015/04/4.176.jpg" alt="4.176" height="139" width="690"></p><p>在未打补丁的 Http.sys 文件中只有 1 处调用了 RtlULongLongAdd 函数。</p><p><img src="http://blog.knownsec.com/wp-content/uploads/2015/04/4.177.jpg" alt="4.177" height="333" width="393"></p><p>而在打补丁的 Http.sys 文件中总共有 13 处调用了 RtlULongLongAdd 函数进行整数溢出检查，说明有漏洞的系统中可能有多个处理流程会涉及到整数溢出造成的安全问题。</p><p>通过补丁比较确定了修改过的函数如下。</p><p><img src="http://blog.knownsec.com/wp-content/uploads/2015/04/4.178.jpg" alt="4.178" height="202" width="701"></p><p>经过分析发现，UlAdjustRangesToContentSize 函数中的整数溢出点，才是导致漏洞能发挥作用的关键流程。</p><p><img src="http://blog.knownsec.com/wp-content/uploads/2015/04/4.179.jpg" alt="4.179" height="295" width="452"></p><p> </p><p>这段代码还是采用了直接运算 64 位整数的方式，没有检查是否溢出，在补丁文件中替换为调用 RtlULongLongAdd 函数。</p><p>这部分代码的功能是判断获取文件偏移量的范围，是否会超过请求缓存文件的数据长度，如果超出就把读取长度修改为合适的大小，防止越界访问数据。但是由于发生了整数溢出，使得判断越界的代码失效，这样就不会修改读取长度，造成用可控的长度值越界访问数据。</p><p>但是如果要成功利用此漏洞还需要一些必要的条件，具体细节有待进一步分析。</p><ul><li><strong>漏洞验证</strong></li></ul><p>可以使用 PoC 区域中 Python 程序对系统进行漏洞检测。</p><p>如果打印出“Looks VULN”，说明系统存在漏洞。</p><h4><strong></strong>二、ZoomEye 应急概要<strong></strong></h4><p> </p><p>知道创宇安全研究团队通过网络空间搜索引擎 ZoomEye 进行全网搜索，得出目前网络空间中可能受影响网站所使用 IIS 版本比例如下所示：</p><p><img src="http://blog.knownsec.com/wp-content/uploads/2015/04/4.16%E9%85%8D%E5%9B%BE1.png" alt="4.16配图1" height="323" width="575"></p><p> </p><p>▲受威胁网站使用版本比例</p><p><img src="http://blog.knownsec.com/wp-content/uploads/2015/04/4.16%E9%85%8D%E5%9B%BE2.png" alt="4.16配图2" height="509" width="672"></p><p>▲全国网站受 IIS 漏洞影响地域分布情况</p><p>另外，ZoomEye 搜索结果显示，全国受漏洞威胁的网站总数达 795,317  个，超过我国网站总数的五分之一，从区域分布来看，排在首位的北京地区共  276,39  个，对漏洞的修复工作刻不容缓。请网络管理员尽快打补丁修复，官方补丁下载地址：</p><ul><li><a href="https://support.microsoft.com/zh-cn/kb/3042553">https://support.microsoft.com/zh-cn/kb/3042553</a>。</li></ul><h4>三、修复建议</h4><p>通过 Windows 更新机制，选择 KB3042553 安全更新进行系统升级。</p><p>此漏洞在线验证地址：<a href="http://www.scanv.com/lab" target="_blank">http://www.scanv.com/lab</a></p><h4><strong></strong>四、相关资源链接<strong></strong></h4><ul><li><a href="https://technet.microsoft.com/zh-cn/library/security/ms15-034">https://technet.microsoft.com/zh-cn/library/security/ms15-034</a></li></ul><p>应急报告下载：<a target="_blank" href="http://blog.knownsec.com/wp-content/uploads/2015/04/IIS%E7%B3%BB%E5%88%97Http.sys%E5%A4%84%E7%90%86Range%E6%95%B4%E6%95%B0%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E-%E5%BA%94%E6%80%A5%E5%88%86%E6%9E%90%E6%8A%A5%E5%91%8AV1-.pdf">IIS系列Http.sys处理Range整数溢出漏洞应急分析报告V1</a><br></p>
id	SSV:89233
last seen	2017-11-19
modified	2015-07-01
published	2015-07-01
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-89233
title	IIS 系列 Http.sys 处理 Range 整数溢出漏洞

Vulnerabilities > CVE-2015-1635 - Code Injection vulnerability in Microsoft products

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Exploit-Db

Metasploit

Msbulletin

Nessus

Packetstorm

Seebug

Related news

References