CVE-2021-31166

This is a proof of concept for CVE-2021-31166 ("HTTP Protocol Stack Remote Code Execution Vulnerability"), a use-after-free dereference in http.sys patched by Microsoft in May 2021. The bug itself happens in http!UlpParseContentCoding where the function has a local LIST_ENTRY and appends an item to it. When it's done, it moves it into the Request structure; but it doesn't NULL out the local list. The issue with that is that an attacker can trigger a code-path that frees every entry of the local list leaving them dangling in the Request object.

Features

HTTP Protocol Stack Remote Code Execution Vulnerability
Use-after-free dereference in http.sys patched by Microsoft in May 2021
Bugcheck defined
Remote HTTP.sys use-after-free triggered remotely

Project Samples

Project Activity

See All Activity >

License

MIT License

Follow CVE-2021-31166

CVE-2021-31166 Web Site

User Reviews

Be the first to post a review of CVE-2021-31166!

Additional Project Details

Programming Language

Python

Related Categories

Python HTTP Servers, Python HTTP Clients

Registered

2023-05-18

Similar Business Software

CBT Nuggets

Learning IT doesn’t have to mean boring lectures, the frantic pace of bootcamps, or lots of time away from your job or family. With CBT Nuggets, you can train anytime, anywhere, at your own pace — all from the comfort of your office chair or living room couch. Our training team is made up of...

See Software
Frontegg

Frontegg is a Customer Identity and Access Management (CIAM) platform that simplifies authentication, authorization, and user management for SaaS companies. It enables developers to implement advanced identity features quickly, then shift ongoing administration to other teams. With Frontegg,...

See Software
Parasoft

Parasoft helps organizations continuously deliver high-quality software with its AI-powered software testing platform and automated test solutions. Supporting embedded and enterprise markets, Parasoft’s proven technologies reduce the time, effort, and cost of delivering secure, reliable, and...

See Software
ManageEngine Endpoint Central

ManageEngine Endpoint Central is built to secure the digital workplace while also giving IT teams complete control over their enterprise endpoints. It delivers a security-first approach by combining advanced endpoint protection with comprehensive management, allowing IT teams to manage the...

See Software
JDisc Discovery

JDisc Discovery is a comprehensive network inventory and IT asset management solution designed to help organizations gain clear, up-to-date visibility into their IT environment. It automatically scans and maps devices across the network, including servers, workstations, virtual machines, and...

See Software
Clazar

Clazar is the leading Cloud Sales Acceleration Platform, built to help cloud GTM teams scale revenue across the AWS, Microsoft Azure, and Google Cloud marketplaces. Clazar streamlines the entire cloud marketplace sales journey, from listing and offer management to co-selling, metering, and...

See Software

Report inappropriate content

CVE-2021-31166

Remote HTTP.sys use-after-free triggered remotely

Get an email when there's a new version of CVE-2021-31166

Features

Project Samples

Project Activity

Categories

License

Follow CVE-2021-31166

User Reviews

Additional Project Details

Programming Language

Related Categories

Registered