[aklug] significant IIS 6 vulnerability with published exploit, some Alaskan impact

Royce Williams royce at tycho.org
Thu Mar 30 07:02:55 AKDT 2017 

*The vulnerability:*

https://nvd.nist.gov/vuln/detail/CVE-2017-7269
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7269

*Why it matters:*

This one is now very unlikely to receive a patch from Microsoft. It also
now has a public exploit. It is likely to be weaponized (or even turn into
a worm) soon, as the bar to recreating the exploit appears to be low.

*Description:*


*Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service
in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003
R2 allows remote attackers to execute arbitrary code via a long header
beginning with "If: <http://" in a PROPFIND request, as exploited in the
wild in July or August 2016.*

*More background:*

https://threatpost.com/publicly-attacked-microsoft-iis-zero-day-unlikely-to-be-patched/124641/

*Alaskan exposure:*

At least 109 Alaskan hosts in 83 unique domains appear to still be running
IIS 6, including some pretty familiar names.

Here is the list:

http://www.techsolvency.com/tls/lists/CVE-2017-7269.txt

I've also made a list of just the domains by frequency count, sorted by
domain, for easy visual checking:

http://www.techsolvency.com/tls/lists/CVE-2017-7269-domains.txt

Let me know if you can't retrieve them.

I've tried to restrict these lists to known Alaskan networks, but it's
trivial obscurity. IIS version is publicly discoverable, even if you
suppress the web server's advertisement of its version. Tools like Shodan
allow anyone to query for IIS version and geography, so this list is
trivially recreate-able. And exploit is likely to be so easy that it can be
tried against every server, regardless of version.

*Call to action:*

Advise your clients/stakeholders, mitigate, and/or forward to interested
parties accordingly.

If you have a WAF in front of your web server, ensure that it has a
signature for this. If you don't have a WAF, consider putting one in front
of the server. Something like Cloudfront can be spun up pretty quickly.

Royce
-- 
Royce Williams <http://www.techsolvency.com/roycewilliams/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.aklug.org/pipermail/aklug/attachments/20170330/a0034d48/attachment.html>

More information about the aklug mailing list