cbcvebase.
CVE-2011-1965
published 2011-08-10

CVE-2011-1965: Tcpip.sys in the TCP/IP stack in Microsoft Windows 7 Gold and SP1 and Windows Server 2008 R2 and R2 SP1 does not properly implement URL-based QoS, which allows…

PriorityP347high7.1CVSS 2.0
AVNACMAuNCNINAC
EXPLOIT
EPSS
24.93%
97.6th percentile
Tcpip.sys in the TCP/IP stack in Microsoft Windows 7 Gold and SP1 and Windows Server 2008 R2 and R2 SP1 does not properly implement URL-based QoS, which allows remote attackers to cause a denial of service (reboot) via a crafted URL to a web server, aka "TCP/IP QOS Denial of Service Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008

Detection & IOCsextracted from sources · hover to see the quote

commandGET /<0x3c segments of 0x100 'a' chars joined by '/'>/bbbbbbb\n
  • Detect abnormally long HTTP GET request URLs composed of many path segments (0x3c or more) each containing long repeated character strings (0x100 bytes), targeting port 80 — characteristic of the CVE-2011-1965 QoS DoS trigger in Tcpip.sys.
  • The exploit sends a raw HTTP/1.0-style GET request with no HTTP version token (bare newline terminator) and a double-blank-line header terminator — anomalous HTTP framing that can be detected at the network layer.
  • The vulnerability resides in Tcpip.sys URL-based QoS processing on Windows 7 / Server 2008 R2; monitor for unexpected reboots or kernel crashes (BSODs) on those OS versions correlated with inbound HTTP traffic containing extremely long URL paths.
  • ·The published PoC hardcodes HOST as 'localhost' and was tested as a local kernel exploit; remote exploitation requires a reachable web server on the target running on an unpatched Windows 7 / Server 2008 R2 system.
  • ·The PoC was validated only against Windows 7 32-bit fully patched through August 2011; behaviour on 64-bit or later patch levels is not confirmed by the author.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.