cbcvebase.
CVE-2015-1635
published 2015-04-14

CVE-2015-1635: HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-08-10
Exploited in the wild
EPSS
100.00%
100.0th percentile
HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008
microsoftwindows_server_2012

Detection & IOCsextracted from sources · hover to see the quote

commandcurl -H 'Range: bytes=0-18446744073709551615' http://YOURHOST//
otherHTTP Range header: bytes=0-18446744073709551615
otherHTTP 416 Requested Range Not Satisfiable response indicates vulnerable target
otherHTTP response string: 'The request has an invalid header name' indicates patched target
  • Send an HTTP request with 'Range: bytes=0-18446744073709551615' to the target IIS server. A response of HTTP 416 ('Requested Range Not Satisfiable') indicates the host is vulnerable to CVE-2015-1635; a patched host will not reach UlAdjustRangeToContentSize and will not return 416.
  • Exploitation requires at least two identical malformed Range requests: the first primes the kernel cache path (CacheMiss), and the second triggers BuildCacheEntry and SendCacheEntry with the overflowed length, causing a BSOD/crash.
  • The Metasploit auxiliary module 'auxiliary/dos/http/ms15_034_ulonglongadd' can be used to check and trigger the DoS condition against CVE-2015-1635 targets.
  • ·The exploit PoC (exploit-db 36773) is marked UNTESTED by its author and should be treated as a detection/audit checker only, not a reliable weaponised exploit.
  • ·The vulnerability is actively exploited in the wild and DoS exploit code is widespread; patching or disabling IIS kernel caching as a workaround should be prioritised for Internet-facing Windows IIS servers.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.