45
4

Microsoft Vulnerability CVE-2022-21907 Exploitation

45

HTTP Protocol Stack Remote Code Execution Vulnerability.

An unauthenticated attacker can send an HTTP request with an ‘Accept-Encoding’ HTTP request header triggering a double free in the unknown coding-list inside the HTTP Protocol Stack (http.sys) to process packets, resulting in a kernel crash.

CVE-2022-21907 – Security Update Guide – Microsoft – HTTP Protocol Stack Remote Code Execution Vulnerability

  • QRadar AQL
SELECT UTF8(payload) from events where UTF8(payload) ILIKE '%%Accept-Encoding%%' and UTF8(payload) ILIKE '%%&%%%' and UTF8(payload) ILIKE '%%, %%'
  • Splunk
(c-headers="Accept-Encoding" c-headers="&" c-headers=", *")
  • Elastic Query
(c-headers:Accept-Encoding AND c-headers:&* AND c-headers:*,\ *)
  • Azure Sentinel
Webserver | where (c-headers contains 'Accept-Encoding' and c-headers matches regex '(?i).&..*' and c-headers contains ', ')
  • RegEx
^(?:.(?=..Accept-Encoding.)(?=..&..)(?=.., .*))

Leave a Reply

Your email address will not be published.

4 thoughts on “Microsoft Vulnerability CVE-2022-21907 Exploitation

  1. · 23.01.2022 at 12:37

    Неплохо.

  2. Захватывающе.

  3. Спасибо за такую информацию.

  4. · 06.02.2022 at 22:03

    Скопленные на этом сайте сведения, очень важны