I tried to send the bad curl request to our servers (test env, obviously) and I didn't get any error. It seems I should be getting "Requested Range Not Satisfiable" if the server is vulnerable and "The request has an invalid header name" if it's patched. I'm getting neither, simply a normal response HTTP 200 with the requested page. Anyone knows how to really test it?
EDIT : It is indeed related to "Output Cache" setting in IIS as I said I was suspecting in another comment. I managed to crash our servers by going to IIS Management, select the website I wanted to test, go to Output Caching, enable the feature AND also add a rule (I added a rule for .png just to test). If you have NO rules it is the same as having the feature disabled so you are safe. If you add a rule and check "Enable Kernal Caching" you are vulnerable!
EDIT 2 : As some have asked, this is the command I used to crash our test server. I tested it after having created a new Output Caching rule to cache all .png files in kernel mode.
I didn't take a screenshot of the BSOD and I don't plan on crashing our test env a second time today because people are using it (I tested it early enough that not a lot of people were at the office yet).
I just crashed a 2008 R2 server without a rule, just with "Enable Kernel Caching".
Not sure if it is relevant, but I first added a rule for .png, and then removed it again. Still worked.
Can't edit the top comment anymore :( but it has been found that indeed no rules are needed to exploit this (my previous answer is outdated and wrong!)
If you can't afford to reboot your servers right now to install the patch, at least you can add this to your web.config and deploy your websites ASAP :
Instead of updating every single web.config of your website I think it is better to just update once and for all by updating machine.config. What you say ?
Seems like you can't add a system.webServer node on the machine.config, but you could add it to applicationHost.config (source: http://www.iis.net/learn/get-started/planning-your-iis-archi... ) so yes, that would be faster. You have to make sure that none of your web.config files override that setting though!
As all our servers are behind a traffic manager product like F5/ZXTM I'm experimenting with removing the range header so it never reaches the webserver as some app's rely on kernel mode caching to achieve performance.
Also my tests seem to indicate that just having kernel mode caching enabled even if you dont have any rules still seem to cause a BSOD.
You're right! Even with no rule having kernal caching enabled will crash it! I think IIS assumes it should cache all static content even when there are no rules specifically for them. Somehow I can't edit my comment anymore but I'll leave this here :
EVEN WITH NO RULES, YOU ARE VULNERABLE! My previous answer has been proven to be wrong!
That was my case as well... initialized IIS on a fresh server to test against. (took me a while to figure out that IIS wasn't even setup, since the IIS manager was on the server) ... accidentally crashed my local machine too (forgot to change the localhost to the ip of the server whyn copy/pasting the url from the browser on the server)
Do you happen to have a screenshot of the BSOD, or could test it a second time to take a screenshot? I don't really have a free test server that I can crash anymore since I tested this morning when not a lot of people were at the office yet.
Yep. I tried curl -v to get all the raw headers line by line and the payload is there, and I also tried in telnet, both return a 200 page.
I read the microsoft security bulletin and it says that your IIS server is protected if Kernal Caching is off, maybe that's why our servers are neither blocking the request nor crashing with the request.
I was able to crash mine (local win8.1 and win2012 server) without any rules specified, only the checkbox enabled for kernel caching... it may vary based on windows version.
One other possibility, is that your systems have already been compromised and are giving you back incorrectly safe-looking output. I'm not saying its probable, just possible.
confirmed the above command crashed my win 2012 r2 server on AWS with no output cache rules.
I found a png being served by my home page, and after 2 of the above requests the server crashed.
I installed the pending windows updates and after a restart the problem seems to be gone.
EDIT : It is indeed related to "Output Cache" setting in IIS as I said I was suspecting in another comment. I managed to crash our servers by going to IIS Management, select the website I wanted to test, go to Output Caching, enable the feature AND also add a rule (I added a rule for .png just to test). If you have NO rules it is the same as having the feature disabled so you are safe. If you add a rule and check "Enable Kernal Caching" you are vulnerable!
EDIT 2 : As some have asked, this is the command I used to crash our test server. I tested it after having created a new Output Caching rule to cache all .png files in kernel mode.
curl -v http://example.com/image.png -H "Range: bytes=18-18446744073709551615"
I didn't take a screenshot of the BSOD and I don't plan on crashing our test env a second time today because people are using it (I tested it early enough that not a lot of people were at the office yet).