Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -514,11 +514,46 @@ HTTP/1.1 200 OK




## HTTP.sys HTTPS header-line fragmentation

When IIS or another Windows service is backed by **HTTP.sys over HTTPS**, remember that **TLS record boundaries can become parser-relevant boundaries**. SChannel decrypts **each TLS application-data record independently** and HTTP.sys may account for each decrypted record as a different internal receive buffer instead of as one normalized byte stream.

### Why this matters

If the target parses **HTTP/1.x headers** and fully consumes each buffer without merging it, an attacker can try to force a near **1:1 mapping between TLS records and internal buffer references** by sending:

- **one complete header line per TLS record**
- each line terminated with **`CRLF`**
- a **single long-lived HTTPS request**

This is useful when the backend keeps **per-buffer metadata** during header parsing. In the 2026 HTTP.sys bug, that metadata growth reached an [integer overflow](../../binary-exploitation/integer-overflow-and-underflow.md) condition in the array capacity field, which later caused a **tiny reallocation + oversized `memmove`** kernel pool overflow.

### Practical exploitation notes

- This technique was **HTTPS-only** because plaintext HTTP is more likely to be **coalesced/merged** before the parser sees separate buffers.
- The vulnerable path was **HTTP/1.x header parsing**. **HTTP/2** / **HTTP/3** and **HTTP body parsing** did not hit the same logic.
- Exploitation required **tens of thousands of tiny header lines** split across TLS records, so very large request-header limits were needed.
- For HTTP.sys specifically, check `HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\MaxRequestBytes`.
- Default **`16384`** bytes is typically too small.
- A value **`>= 262144`** makes this specific header-count amplification path reachable.
- Keeping it **`<= 65535`** was documented as a conservative mitigation for unpatched systems.

### Detection ideas

- **Best signal:** decrypt HTTPS and flag **HTTP/1.x requests with more than ~1000 header lines**.
- **Fallback heuristic:** on one TLS connection, alert on **more than ~1000 short application-data records** carrying small payloads.
- **Supplemental signal:** suspiciously **long-lived HTTPS connections** repeatedly feeding tiny records.

This is a good example of a broader review rule: if a protocol stack processes decrypted data **per TLS record**, record fragmentation may become an attacker-controlled primitive for **parser-state manipulation**, metadata exhaustion, or triggering narrow-field growth bugs.

## References

- [0xdf – HTB Job (IIS write β†’ ASPX shell β†’ GodPotato)](https://0xdf.gitlab.io/2026/01/26/htb-job.html)
- [Unit 42 – Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite](https://unit42.paloaltonetworks.com/phantom-taurus/)
- [AMSI/ETW bypass background (HackTricks)](../../windows-hardening/av-bypass.md)
- [Microsoft – Introduction to ApplicationHost.config](https://learn.microsoft.com/en-us/iis/get-started/planning-your-iis-architecture/introduction-to-applicationhostconfig)
- [Microsoft Threat Intelligence – Code injection attacks using publicly disclosed ASP.NET machine keys](https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/)
- [Zero Day Initiative – CVE-2026-47291: Remote Code Execution in the Windows HTTP.sys](https://www.thezdi.com/blog/2026/7/9/cve-2026-47291-remote-code-execution-in-the-windows-httpsys)
- [Microsoft MSRC – CVE-2026-47291](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47291)
{{#include ../../banners/hacktricks-training.md}}