Zero-Day in IIS 6.0 Affects More than 8 Million Websites

Nearly 8 million websites are exposed to a buffer overflow vulnerability in the Internet Information Services (IIS) 6.0 which has been exploited in the wild from July last year, the researchers warn.

This bug was found in ScStoragePathFromUrl function of Web Distributed Authoring and the Versioning (WebDAV) service in the Windows Server 2003 R2’s IIS 6.0. This issue, tracked as CVE-2017-7269, resides in improper validation of an ‘IF’ header in PROPFIND request and can allow a hacker to cause denial-of-service or even allow him to run arbitrary code.

This is discovered by two researchers with the School of Computer Science & Engineering, Information Security Lab, South China University of Technology Guangzhou, China, the vulnerability was exploited in wild in July 2016. Earlier this week, the researchers have published a proof-of-concept on the GitHub and revealed that the Microsoft has already acknowledged the bug.

WebDAV extension of the HTTP protocol allows the clients to perform authoring operations on remote Web content thus offering support for some new HTTP methods, including the MKCOL, PROPFIND, COPY, LOCK and UNLOCK.

The exploit abuses PROPFIND method and the IF header. The former, as Trend Micro’s Virendra Bisht explains, “retrieves properties defined on resource identified by Request-URI” and is supported by all the WebDAV-Compliant resources, while the latter “handles state token as well as ETags.”

According to the Bisht, “this vulnerability could be exploited with an overly large ‘IF’ header in the ‘PROPFIND’ request with a minimum of two http resource in IF header.” The researcher also explained that, while successful attacks could lead to remote code execution, unsuccessful attacks could sometimes lead to denial of service conditions.

Data from W3Techs reveals that the Microsoft’s IIS is currently the third most popular web server technology out there, powering 11.4% of all websites. While newer versions of Microsoft’s technology are more popular, IIS 6.0 still accounts for 11.3% of the IIS-powered websites, which results in 1.3% of all websites out there being powered by this version.

 

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients