MICROSOFT IIS RCE VULNERABILITY CVE-2017-7269

  Posted in Cyber Security on

  by Rajat Bajpai

Affected Product:  IIS 6.0 for Microsoft Windows Server 2003 R2

This vulnerability was discovered by Zhiniang Peng and Chen Wu. (Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou), China around July or August 2016.

Description:

Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with “If: <http://” in a PROPFIND request, as exploited in the wild in July or August 2016.

Microsoft Internet Explorer is prone to a buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized memory buffer. Specifically, this issue affects the ‘ScStoragePathFromUrl’ function in the ‘WebDAV’ service. An attacker can exploit this issue through a specially crafted request containing a long header.

Exploitation:

 In this exploit attempt hacker basically use a script against the affected product. Exploit script screenshot by “Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China”

Exploit payload script

Complete script can be find at: https://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py

Now I am going to explain how being a Security analyst/ Engineer one can identify such attacks.

SNORT OR SURICATA RULE FOR DETECTION:

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:”ET WEB_SERVER Microsoft IIS Remote Code Execution (CVE-2017-7269)“; flow:to_server,established; content:”If|3a 20 3c|”; http_header; pcre:”/^If\x3a\x20\x3c[^\r\n>]+?(?:[\x7f-\xff])/Hmi”; metadata: former_category WEB_SERVER; reference:url,github.com/edwardz246003/IIS_exploit/blob/master/exploit.py; classtype:attempted-user; sid:2024107; rev:2; metadata:affected_product Microsoft_IIS, attack_target Web_Server, deployment Datacenter, cve cve_2017_7269, signature_severity Major, created_at 2017_03_28, performance_impact Low, updated_at 2017_03_28;)

So whenever any traffic pattern matches the above rule, security analyst can take action against it to prevent it.

Triggering Element for IDS Signal : Hex value “3a 20 3c”

How does exploit actually looks like:

HTTP PROPFIND Request
Complete PROPFIND request

Attempt was not successful and got 307 response.

Obsuficated payload

If we notice PROPFIND request we see highly obsuficated payload, I tried decoding it and got something really bizzard, not able to decode successfully.

Above traffic is enough to make sure someone is trying to exploit CVE-2017-7269.Along with this packet we also observed a lot of GET and POST request to restricted pages for example:

HTTP GET Requests

We should make sure none of the above request gets 200 OK.

Analysis of GET request

Similarly, we will see a lot of POST request as well and we should make sure none of them is successful.

POST Request analysis

What actually happens if this exploit becomes successful:

  • An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.
  • Multiple Failed exploit attempts will result in denial-of-service conditions.

In the first case we don’t have any remedy except disconnecting and reimaging.

In second case you can bock the external and can protect your server from DOS attack.

Mitigation:

Because Microsoft no longer provides support for Windows Server 2003, we recommend that you disable the WebDAV functionality.

If upgrading or disabling WebDAV is not in option, with one simple rule, Qualys Web Application Firewall (WAF) can block any attempts to exploit this vulnerability OR  You can use Alibaba Cloud Security WAF to defend against the vulnerability.

How to detect this vulnerability:

Check whether WebDAV is enabled. WebDAV is disabled in IIS by default. You can start IIS Manager, start a local computer, select Web Service Extensions, and view the WebDAV enabling status on the right. And remotely check for the impact. If IIS 6.0 is in the returned banner information and PROPFIND is included in the HTTP return method, the vulnerability exists.

References:

  1. https://support.microsoft.com/en-us/help/3197835/description-of-the-security-update-for-windows-xp-and-windows-server
  2. https://nvd.nist.gov/vuln/detail/CVE-2017-7269
  3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7269
  4. https://blog.qualys.com/securitylabs/2017/03/31/microsoft-iis-6-0-buffer-overflow-zero-day#more-23712
  5. https://support.microsoft.com/en-us/help/3197835/description-of-the-security-update-for-windows-xp-and-windows-server
  6. https://blog.trendmicro.com/trendlabs-security-intelligence/iis-6-0-vulnerability-leads-code-execution/

Best security practice in regard to different IIS versions can be find at:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831725(v%3dws.11)


Author : Rajat Bajpai

Rajat Bajpai

 

Rajat Bajpai has done Master in Engineering in Information and Network Security from University of Limerick. He is having approx 2 years of experience and currently working with eSentire Inc., Cork as a SOC Analyst.

His job as a security Analyst involves him in dealing with day to day cyber attacks and exploits.

Attacks and exploits keep on changing and attackers keep modifying their attack patterns and attack vectors. In-order to deal with such attacks, Rajat keep updating himself and act as first line of defense against all such attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *