Affected Product: IIS 6.0 for Microsoft Windows Server 2003 R2
This vulnerability was discovered by Zhiniang Peng and Chen Wu. (Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou), China around July or August 2016.
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with “If: <http://” in a PROPFIND request, as exploited in the wild in July or August 2016.
Microsoft Internet Explorer is prone to a buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized memory buffer. Specifically, this issue affects the ‘ScStoragePathFromUrl’ function in the ‘WebDAV’ service. An attacker can exploit this issue through a specially crafted request containing a long header.
In this exploit attempt hacker basically use a script against the affected product. Exploit script screenshot by “Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China”
Complete script can be find at: https://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py
Now I am going to explain how being a Security analyst/ Engineer one can identify such attacks.
SNORT OR SURICATA RULE FOR DETECTION:
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:”ET WEB_SERVER Microsoft IIS Remote Code Execution (CVE-2017-7269)“; flow:to_server,established; content:”If|3a 20 3c|”; http_header; pcre:”/^If\x3a\x20\x3c[^\r\n>]+?(?:[\x7f-\xff])/Hmi”; metadata: former_category WEB_SERVER; reference:url,github.com/edwardz246003/IIS_exploit/blob/master/exploit.py; classtype:attempted-user; sid:2024107; rev:2; metadata:affected_product Microsoft_IIS, attack_target Web_Server, deployment Datacenter, cve cve_2017_7269, signature_severity Major, created_at 2017_03_28, performance_impact Low, updated_at 2017_03_28;)
So whenever any traffic pattern matches the above rule, security analyst can take action against it to prevent it.
Triggering Element for IDS Signal : Hex value “3a 20 3c”
How does exploit actually looks like:
Attempt was not successful and got 307 response.
If we notice PROPFIND request we see highly obsuficated payload, I tried decoding it and got something really bizzard, not able to decode successfully.
Above traffic is enough to make sure someone is trying to exploit CVE-2017-7269.Along with this packet we also observed a lot of GET and POST request to restricted pages for example:
We should make sure none of the above request gets 200 OK.
Similarly, we will see a lot of POST request as well and we should make sure none of them is successful.
What actually happens if this exploit becomes successful:
- An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.
- Multiple Failed exploit attempts will result in denial-of-service conditions.
In the first case we don’t have any remedy except disconnecting and reimaging.
In second case you can bock the external and can protect your server from DOS attack.
Because Microsoft no longer provides support for Windows Server 2003, we recommend that you disable the WebDAV functionality.
If upgrading or disabling WebDAV is not in option, with one simple rule, Qualys Web Application Firewall (WAF) can block any attempts to exploit this vulnerability OR You can use Alibaba Cloud Security WAF to defend against the vulnerability.
How to detect this vulnerability:
Check whether WebDAV is enabled. WebDAV is disabled in IIS by default. You can start IIS Manager, start a local computer, select Web Service Extensions, and view the WebDAV enabling status on the right. And remotely check for the impact. If IIS 6.0 is in the returned banner information and PROPFIND is included in the HTTP return method, the vulnerability exists.
Best security practice in regard to different IIS versions can be find at: