edit-icon download-icon

[Vulnerability notice] CVE-2017-7269: Remote code execution vulnerability in IIS

Last Updated: Apr 08, 2018

On March 28, 2017, it was revealed that IIS has a buffer overflow vulnerability, which results in remote code execution vulnerability (0-day). The vulnerability was detected by Zhiniang Peng and Chen Wu in the School of Computer Science and Engineering, Information Security Laboratory, South China University of Technology. The vulnerability was first exploited in July and August 2016.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-7269

Vulnerability name

IIS remote code execution vulnerability

Vulnerability rating

High

Vulnerability description

The ScStoragePathFromUrl function has a buffer overflow vulnerability in the IIS 6.0 WebDAV service on Windows Server 2003. The vulnerability allows an attacker to run arbitrary code by constructing a PROPFIND request with a long header.

Condition and method of exploitation

Hackers can exploit the vulnerability by running code remotely.

Affected scope

WebDAV-enabled IIS 6.0 for Microsoft Windows Server 2003 R2

Vulnerability detection

  • Check whether WebDAV is enabled. WebDAV is disabled in IIS by default. You can start IIS Manager, start a local computer, select Web Service Extensions, and view the WebDAV enabling status on the right.

  • Use nc to remotely check for the impact. If IIS 6.0 is in the returned banner information and PROPFIND is included in the HTTP return method, the vulnerability exists.

    options

How to fix or mitigate

  • Because Microsoft no longer provides support for Windows Server 2003, we recommend that you disable the WebDAV functionality.

  • You can use Alibaba Cloud Security WAF to defend against the vulnerability.

Reference

[1]. http://m.bobao.360.cn/learning/detail/3664.html?from=groupmessage&isappinstalled=1

Thank you! We've received your feedback.