attack code

Security researcher Axel Souchet has released proof of concept code on GitHub that exploits CVE-2021-31166. Luckily, this CVE was patched by Microsoft with the release of KB5003173 during the May 2021 Patch Tuesday.

The proof of concept code lacks auto-spreading capabilities but malicious actors could develop their own code similar to his to perform remote code execution. Execution of Souchet's demonstration code triggers a blue screen of death.

Alex further explains:

The bug itself happens in http!UlpParseContentCoding where the function has a local LIST_ENTRY and appends item to it. When it's done, it moves it into the Request structure; but it doesn't NULL out the local list. The issue with that is that an attacker can trigger a code-path that frees every entries of the local list leaving them dangling in the Request object.

exploit gif

Microsoft recommends prioritizing patching all affected servers since the bug is wormable and in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (HTTP.sys) to process packets. Systems running the latest version of Windows 10 that are fully patched should be safe from attacks.

Source: GitHub via BleepingComputer