Pierluigi Paganini March 29, 2017

Millions of websites are affected by a buffer overflow zero-day vulnerability, tracked as CVE-2017-7269, that resides in the IIS 6.0.

The II6 6.0 zero-day flaw was discovered by two researchers with the Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China who published a PoC code exploit on GitHub. 

Microsoft has already acknowledged the vulnerability that was exploited in the wild in July or August 2016.

More than 8 million websites could be affected by the flaw that resides in the ScStoragePathFromUrl function of the Web Distributed Authoring and Versioning (WebDAV) service in Windows Server 2003 R2’s IIS 6.0.

The issue is caused by the improper validation of an ‘IF’ header in a PROPFIND request and could allow an attacker to trigger a denial of service condition or to run arbitrary code.

“Microsoft Internet Information Services (IIS) 6.0 is vulnerable to a zero-day Buffer Overflow vulnerability (CVE-2017-7269) due to an improper validation of an ‘IF’ header in a PROPFIND request.” reads the analysis published by Trend Micro.

“A remote attacker could exploit this vulnerability in the IIS WebDAV Component with a crafted request using PROPFIND  method. Successful exploitation could result in denial of service condition or  arbitrary code execution in the context of the user running the application.”

The Web Distributed Authoring and Versioning (WebDAV) extension of the HTTP protocol allows clients to perform remote Web content authoring operations. It allows to extend the support HTTP methods, including COPY, LOCK, MKCOL, PROPFIND, and UNLOCK.

“This vulnerability is exploited using the PROPFIND method and IF header. The PROPFIND method retrieves properties defined on the resource identified by the Request-URI. All the WebDAV-Compliant resources must support the PROPFIND method.” continues the analysis.

The impact of this vulnerability is wide, according to data provided by the W3Techs, Microsoft’s IIS is currently the third most popular web server solution in the wild (11.4% of all websites). IIS 6.0 accounts for 11.3%, roughly 1.3% of all websites on the Internet.

The vulnerability doesn’t affect newer versions of Microsoft Internet Information Services.

According to BuiltWith, IS 6.0 version is currently used by 2.3% of the entire Internet, over 8.3 million live websites are using IIS 6.0.

In order to mitigate the risk of cyber attacks, it is possible to disable the WebDAV service on IIS 6.0 installations.

“To mitigate the risk, disabling the WebDAV service on the vulnerable IIS 6.0 installation is recommended. Newer versions of Windows Server shipped with newer versions of IIS are not affected by this vulnerability.” concluded Trend Micro.

Pierluigi Paganini

(Security Affairs – IIS 6.0 flaw, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]