How an Integer Overflow in IIS’s Read Function Triggers CVE‑2015‑1635

In IIS’s HTTP.sys driver, a function named Read reads file data based on a start and end offset. The original implementation limits a single read to 1024 bytes:

char* Read(int fd, int start, int end) {
    unsigned int length = end - start + 1;
    if (length > 1024)
        return NULL;
    return ReadFile(fd, start, end);
}

The function assumes start and end are signed 32‑bit integers. Supplying 4294967295 (the maximum 32‑bit unsigned value) for end causes it to be interpreted as -1. The length calculation then becomes -1 - 0 + 1 = 0, which bypasses the length > 1024 check and returns a zero‑length buffer.

This logic flaw existed in the real Microsoft IIS server and is identified as CVE-2015-1635 . The vulnerability resides in the HTTP.sys kernel driver that parses the HTTP Range header. An attacker can send a request such as:

GET /resource.png HTTP/1.1 Host: 127.0.0.1:8180 Range: bytes=0-18446744073709551615

When the 64‑bit unsigned maximum ( 18446744073709551615) is used, the driver’s signed/unsigned conversion leads to an integer overflow, causing the calculated length to be zero and skipping safety checks. The kernel then dereferences invalid memory, resulting in a blue‑screen (BSOD) and a denial‑of‑service condition.

Exploiting the flaw can be done with tools like Metasploit, which craft the malicious Range request to trigger the crash. The article demonstrates setting up an IIS 7 virtual machine, sending the crafted request, and observing the server crash.

For deeper technical details, the original analysis by 360’s MJ0011 ("MS15-034/CVE-2015-1635 HTTP Remote Code Execution Vulnerability Analysis") is referenced.

The key lesson is to handle signed‑to‑unsigned conversions carefully, especially when processing external parameters, as a single mis‑typed integer can lead to catastrophic kernel failures.