Are you telling me that you still have an internet-exposed IIS6?

You are insane!


TrendMicro on its blog has published an article about a new 0-Day vulnerability that affects the WebDAV component of Microsoft Internet Information Services 6.0.

The vulnerability ( CVE-2017–7269) is a bufferoverflow located into the webdav components of IIS:

A remote attacker could exploit this vulnerability in the IIS WebDAV Component with a crafted request using PROPFIND method. Successful exploitation could result in denial of service condition or arbitrary code execution in the context of the user running the application. According to the researchers who found this flaw, this vulnerability was exploited in the wild in July or August 2016. It was disclosed to the public on March 27.


What is WebDAV?

Web Distributed Authoring and Versioning (WebDAV) is

an extension of the HTTP protocol that allows clients to perform remote Web content authoring operations.


The exploit

This vulnerability is exploited using the PROPFIND method and IF header. The PROPFIND method retrieves properties defined on the resource identified by the Request-URI. All the WebDAV-Compliant resources must support the PROPFIND method.

A proof-of-concept exploit was published by Github user edwardz246003:

https://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py

The python script exploits the vulnerability and sends a payload that only starts the calc.exe on remote machine, but

Other threat actors are now in the stages of creating malicious code based on the original proof-of-concept (PoC) code.


Mitigation?

IIS 6.0 was included with Windows Server 2003.

Unfortunately, Microsoft isn’t supporting and won’t be patching the old OS version anymore, unless you have access to a Custom Premium Support (yes, its really expensive!).

If you don’t have planned a Windows upgrade (newer versions of Windows Server shipped with newer versions of IIS are not affected by this vulnerability), you can mitigate the risk disabling the WebDAV service on the vulnerable IIS 6.0 installations.


More technical informations

https://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py
https://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py
https://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py

Comments