Skip to content

CVE-2022-21907

HTTP Protocol Stack — uninitialized tracker struct via crafted HTTP headers allows RCE

Summary

Field Value
Driver http.sys
Vulnerability Class String Handling
Vulnerable Build 10.0.22621.1 (RTM)
Fixed Build 10.0.22621.382 (KB5019509)
Exploited ITW No

Affected Functions

  • UlpAllocateFastTracker
  • UlAllocateFastTracker

Root Cause

http.sys is the kernel-mode HTTP protocol stack driver used by IIS, WinRM, WSDAPI, and other Windows HTTP services. It handles all aspects of HTTP request processing in kernel space, including connection management, header parsing, and response assembly. Because it operates at ring 0 and is exposed directly to network input, any memory safety bug in http.sys has severe security implications.

The vulnerability is rooted in how http.sys handles HTTP trailer headers during chunked transfer encoding. When a request arrives with Transfer-Encoding: chunked and includes trailing headers after the final chunk, http.sys invokes the fast-tracker allocation path (UlpAllocateFastTracker / UlAllocateFastTracker) to create a tracking structure for processing the trailers. However, the allocation routine fails to fully initialize all fields of this structure. Certain pointer and length fields are left containing stale data from previous pool allocations that occupied the same memory region.

When http.sys subsequently processes the tracker structure and treats these uninitialized fields as valid pointers or buffer lengths, it operates on garbage data inherited from prior pool usage. Depending on the stale values, this results in use-after-free dereferences or out-of-bounds write operations in kernel pool memory. The bug is triggered remotely by sending a crafted HTTP request with specific header combinations to any service backed by http.sys, requiring no authentication and no user interaction.

AutoPiff categorizes this as string_handling with detection rules:

  • safe_string_function_replacement
  • unicode_string_length_validation_added

Exploitation

The uninitialized tracker structure fields provide a remote kernel memory corruption primitive. Because the stale data in the uninitialized fields depends on what previously occupied that pool region, an attacker can influence these values through pool grooming -- sending a sequence of carefully sized HTTP requests that allocate and free pool objects of the right size, leaving controlled data patterns in the memory that will later become the uninitialized tracker fields.

The attack proceeds in two phases. First, the attacker sends a series of HTTP requests designed to shape the kernel pool layout, planting specific pointer values and lengths in the pool region that the tracker structure will later occupy. Then, the attacker sends the triggering request with crafted chunked-encoding trailers, causing http.sys to allocate the tracker at the groomed location. When the driver follows the stale pointer values as though they were valid, it performs reads and writes at attacker-influenced addresses, yielding a kernel read/write primitive sufficient for code execution.

Microsoft classified CVE-2022-21907 as wormable, meaning it can propagate across networks without user interaction. Any Windows system running a service that relies on http.sys (including default IIS configurations and WinRM) is vulnerable. The pre-authentication, remote, kernel-level nature of this vulnerability made it one of the most critical patches in its release cycle.

Patch Analysis

The patch adds proper zero-initialization of the tracker structure at allocation time, ensuring no stale pool data can persist into the fields used during trailer processing. Additionally, the fix introduces validation of string length fields derived from HTTP header values before they are used in memory operations, preventing attacker-controlled header content from driving out-of-bounds accesses even if the structure were somehow populated with unexpected values. Unsafe string handling functions in the trailer parsing path were replaced with their safe counterparts (such as RtlStringCb* variants) that enforce explicit bounds checking.

AutoPiff detects this patch pattern through the safe_string_function_replacement rule (which flags substitution of unsafe string routines with bounded alternatives) and the unicode_string_length_validation_added rule (which identifies newly added length checks on UNICODE_STRING structures before they are consumed by copy or comparison operations).

Detection

YARA Rule

rule CVE_2022_21907_HTTP {
    meta:
        description = "Detects vulnerable version of http.sys (pre-patch)"
        cve = "CVE-2022-21907"
        author = "KernelSight"
        severity = "high"
    strings:
        $mz = { 4D 5A }
        $driver_name = "http.sys" wide ascii nocase
        $vuln_build = "10.0.22621.1" wide ascii
        $func_alloc_tracker = "UlpAllocateFastTracker" ascii
        $func_alloc_tracker2 = "UlAllocateFastTracker" ascii
    condition:
        $mz at 0 and $driver_name and $vuln_build and ($func_alloc_tracker or $func_alloc_tracker2)
}

ETW Indicators

Provider Event / Signal Relevance
Microsoft-Windows-HttpService Event ID 1 (Request received) HTTP requests with Transfer-Encoding: chunked and trailing headers that trigger the vulnerable fast-tracker allocation path
Microsoft-Windows-HttpService Event ID 4 (Send response) Abnormal response patterns or connection resets following trailer header processing failures
Microsoft-Windows-HttpService Event ID 23 (Parse error) Malformed chunked-encoding requests that fail parsing after the uninitialized tracker has already been used
Microsoft-Windows-Kernel-Process Process creation / crash events Kernel bugcheck (BSOD) or unexpected worker process termination following exploitation attempts
Microsoft-Windows-Security-Auditing Event ID 5156 (Network connection allowed) Inbound connections to HTTP.sys-backed ports (80, 443, 5985) from external sources preceding the exploit trigger

Behavioral Indicators

  • Inbound HTTP requests with Transfer-Encoding: chunked that include abnormal or oversized trailing headers after the final zero-length chunk, targeting IIS, WinRM, or WSDAPI endpoints
  • A pool grooming phase preceding the exploit: a burst of precisely sized HTTP requests designed to fill and free pool allocations so that controlled data occupies the memory region where the uninitialized tracker structure will be allocated
  • The trigger request causes UlpAllocateFastTracker to allocate a tracker structure with stale pointer and length fields from prior pool usage, leading to use-after-free dereferences or out-of-bounds writes in kernel pool memory
  • Potential kernel crash (bugcheck) on failed exploitation attempts, manifesting as unexpected BSOD events on internet-facing Windows servers running http.sys-backed services
  • Wormable propagation pattern: multiple hosts on the same network segment experiencing identical HTTP-triggered kernel crashes or compromises within a short time window

References