On March 28, 2017, it was revealed that IIS has a buffer overflow vulnerability, which results in remote code execution vulnerability (0-day). The vulnerability was detected by Zhiniang Peng and Chen Wu in the School of Computer Science and Engineering, Information Security Laboratory, South China University of Technology. The vulnerability was first exploited in July and August 2016.
See the following for more information about the vulnerability.
IIS remote code execution vulnerability
The ScStoragePathFromUrl function has a buffer overflow vulnerability in the IIS 6.0 WebDAV service on Windows Server 2003. The vulnerability allows an attacker to run arbitrary code by constructing a PROPFIND request with a long header.
Condition and method of exploitation
Hackers can exploit the vulnerability by running code remotely.
WebDAV-enabled IIS 6.0 for Microsoft Windows Server 2003 R2
Check whether WebDAV is enabled. WebDAV is disabled in IIS by default. You can start IIS Manager, start a local computer, select Web Service Extensions, and view the WebDAV enabling status on the right.
Use nc to remotely check for the impact. If IIS 6.0 is in the returned banner information and PROPFIND is included in the HTTP return method, the vulnerability exists.
How to fix or mitigate
Because Microsoft no longer provides support for Windows Server 2003, we recommend that you disable the WebDAV functionality.
You can use Alibaba Cloud Security WAF to defend against the vulnerability.