From a736cb21cd9ed65b8bd03cd4c0e9f69f12ad2369 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 10 Jul 2026 14:23:43 +0000 Subject: [PATCH] Add content from: CVE-2026-47291: Remote Code Execution in the Windows HTTP.sy... --- .../iis-internet-information-services.md | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md b/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md index 242d8fee4d4..1e2b1561eed 100644 --- a/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md +++ b/src/network-services-pentesting/pentesting-web/iis-internet-information-services.md @@ -514,6 +514,39 @@ HTTP/1.1 200 OK + +## HTTP.sys HTTPS header-line fragmentation + +When IIS or another Windows service is backed by **HTTP.sys over HTTPS**, remember that **TLS record boundaries can become parser-relevant boundaries**. SChannel decrypts **each TLS application-data record independently** and HTTP.sys may account for each decrypted record as a different internal receive buffer instead of as one normalized byte stream. + +### Why this matters + +If the target parses **HTTP/1.x headers** and fully consumes each buffer without merging it, an attacker can try to force a near **1:1 mapping between TLS records and internal buffer references** by sending: + +- **one complete header line per TLS record** +- each line terminated with **`CRLF`** +- a **single long-lived HTTPS request** + +This is useful when the backend keeps **per-buffer metadata** during header parsing. In the 2026 HTTP.sys bug, that metadata growth reached an [integer overflow](../../binary-exploitation/integer-overflow-and-underflow.md) condition in the array capacity field, which later caused a **tiny reallocation + oversized `memmove`** kernel pool overflow. + +### Practical exploitation notes + +- This technique was **HTTPS-only** because plaintext HTTP is more likely to be **coalesced/merged** before the parser sees separate buffers. +- The vulnerable path was **HTTP/1.x header parsing**. **HTTP/2** / **HTTP/3** and **HTTP body parsing** did not hit the same logic. +- Exploitation required **tens of thousands of tiny header lines** split across TLS records, so very large request-header limits were needed. +- For HTTP.sys specifically, check `HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\MaxRequestBytes`. + - Default **`16384`** bytes is typically too small. + - A value **`>= 262144`** makes this specific header-count amplification path reachable. + - Keeping it **`<= 65535`** was documented as a conservative mitigation for unpatched systems. + +### Detection ideas + +- **Best signal:** decrypt HTTPS and flag **HTTP/1.x requests with more than ~1000 header lines**. +- **Fallback heuristic:** on one TLS connection, alert on **more than ~1000 short application-data records** carrying small payloads. +- **Supplemental signal:** suspiciously **long-lived HTTPS connections** repeatedly feeding tiny records. + +This is a good example of a broader review rule: if a protocol stack processes decrypted data **per TLS record**, record fragmentation may become an attacker-controlled primitive for **parser-state manipulation**, metadata exhaustion, or triggering narrow-field growth bugs. + ## References - [0xdf – HTB Job (IIS write → ASPX shell → GodPotato)](https://0xdf.gitlab.io/2026/01/26/htb-job.html) @@ -521,4 +554,6 @@ HTTP/1.1 200 OK - [AMSI/ETW bypass background (HackTricks)](../../windows-hardening/av-bypass.md) - [Microsoft – Introduction to ApplicationHost.config](https://learn.microsoft.com/en-us/iis/get-started/planning-your-iis-architecture/introduction-to-applicationhostconfig) - [Microsoft Threat Intelligence – Code injection attacks using publicly disclosed ASP.NET machine keys](https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/) +- [Zero Day Initiative – CVE-2026-47291: Remote Code Execution in the Windows HTTP.sys](https://www.thezdi.com/blog/2026/7/9/cve-2026-47291-remote-code-execution-in-the-windows-httpsys) +- [Microsoft MSRC – CVE-2026-47291](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47291) {{#include ../../banners/hacktricks-training.md}}