CVE-2011-1965
published 2011-08-10CVE-2011-1965: Tcpip.sys in the TCP/IP stack in Microsoft Windows 7 Gold and SP1 and Windows Server 2008 R2 and R2 SP1 does not properly implement URL-based QoS, which allows…
PriorityP347high7.1CVSS 2.0
AVNACMAuNCNINAC
EXPLOIT
EPSS
24.93%
97.6th percentile
Tcpip.sys in the TCP/IP stack in Microsoft Windows 7 Gold and SP1 and Windows Server 2008 R2 and R2 SP1 does not properly implement URL-based QoS, which allows remote attackers to cause a denial of service (reboot) via a crafted URL to a web server, aka "TCP/IP QOS Denial of Service Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect abnormally long HTTP GET request URLs composed of many path segments (0x3c or more) each containing long repeated character strings (0x100 bytes), targeting port 80 — characteristic of the CVE-2011-1965 QoS DoS trigger in Tcpip.sys. ↗
- →The exploit sends a raw HTTP/1.0-style GET request with no HTTP version token (bare newline terminator) and a double-blank-line header terminator — anomalous HTTP framing that can be detected at the network layer. ↗
- →The vulnerability resides in Tcpip.sys URL-based QoS processing on Windows 7 / Server 2008 R2; monitor for unexpected reboots or kernel crashes (BSODs) on those OS versions correlated with inbound HTTP traffic containing extremely long URL paths. ↗
- ·The published PoC hardcodes HOST as 'localhost' and was tested as a local kernel exploit; remote exploitation requires a reachable web server on the target running on an unpatched Windows 7 / Server 2008 R2 system. ↗
- ·The PoC was validated only against Windows 7 32-bit fully patched through August 2011; behaviour on 64-bit or later patch levels is not confirmed by the author. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://securityreason.com/securityalert/8474http://www.us-cert.gov/cas/techalerts/TA11-221A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-064https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12318http://securityreason.com/securityalert/8474http://www.us-cert.gov/cas/techalerts/TA11-221A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-064https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12318
2011-08-10
Published