Publicly Attacked Microsoft IIS Zero Day Unlikely to be Patched

Researchers have disclosed a zero-day vulnerability and proof-of-concept exploit for a flaw in Microsoft IIS 6.0. The zero-day has been under attack since last July, the researchers said.

Microsoft is unlikely to patch a zero-day vulnerability in an older version of its Internet Information Services (IIS) webserver that’s been publicly attacked since last July and August.

Two researchers from the South China University of Technology in Guangzhou posted a proof-of-concept exploit for the zero-day three days ago to Github. The vulnerability is a buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in IIS, version 6.0. IIS 6.0 was first shipped with Windows Server 2003, support for which was cut off in July 2015.

“This issue (CVE-2017-7269) does not affect currently supported versions. We continue to recommend that customers upgrade to our latest operating systems and benefit from robust, modern protection,” a Microsoft spokesperson said.

The researchers, Zhiniang Peng and Chen Wu, said successful exploits allow a remote attacker to execute code via a long header beginning with “If: <http://” in a PROPFIND request.

According to Microsoft, a WebDAVPROPFIND Method “retrieves properties for a resource identified by the request Uniform Resource Identifier (URI). The PROPFIND Method can be used on collection and property resources.”

IIS remains a relatively popular webserver; recent statistics indicate it stands up 11.4 percent of websites, third in market share behind Apache (50.2 percent) and Nginx (33.1 percent). Of those sites running IIS, 87.2 percent are on either IIS 7 or IIS 8, with 11.3 percent of those sites running version 6.

That’s still a hefty number of websites still on unsupported versions of the software, and now with exploit code public, it’s likely attackers will begin developing exploits targeting vulnerable sites.

The best mitigation for IIS 6 installations would be to disable WebDAV. WebDAV is short for the World Wide Web Distributed Authoring and Versioning standard that describes HTTP extensions that allows remote web clients to collaborate, write and edit content on a server.

Suggested articles

Discussion

  • Anonymous on

    I don't think you understand what zero-day means. If it's known, it's not zero-day. If you're posting about it, it's not zero-day.
  • Anonymous on

    "posted a proof-of-concept exploit for the zero-day three days ago" ... I mean really, it's like you didn't even think about what you said there.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.