HTTP.sys is Microsoft’s device driver utilized to handle HTTP requests to a hosted web application, commonly IIS-based. HTTP.sys implemented feature enhancements that were introduced with IIS 6. Among these feature enhancements includes Kernel Caching, which allows for a more seamless experience for the user. HTTP.sys in IIS 6+ now caches responses within the kernel, which allows for the kernel to return cached data to the user in a faster manner than the previous implementation which relied on the kernel to pass the request to the worker process for the response. With less process hops, returning the response directly from the kernel cache increases speed. It should be noted that other services outside of IIS utilize HTTP.sys as well, such as netsh and servicestate.
To better understand the vulnerability we must first gain an understanding of how HTTP.sys works, and why it is vulnerable in the first place. HTTP.sys handles all requests to a web application. If the response is already cached, HTTP.sys will r