Jump to content

New IIS 6.0 Zero-Day Exploited in Live Attacks Since July 2016


CrAKeN

Recommended Posts

ServerCache.png

 

Since July 2016, attackers have been using a zero-day in IIS 6.0 to compromise and take over Windows servers.

 

The zero-day was discovered by two Chinese researchers from the Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China.

 

The two published proof-of-concept exploit code on GitHub two days ago, after Microsoft acknowledged the flaw, but said it couldn't patch it as it affected EOL products, for which it doesn't issue updates anymore.

 

Zero-day affects only IIS 6.0 servers


The vulnerability only affects IIS 6.0, which was released in November 2010, and shipped with Windows Server 2003 and Windows XP Professional x64 Edition.

 

Older operating systems might also use IIS 6.0, if their admins installed updates. Microsoft IIS (Internet Information Services), an extensible web server that ships with all Windows OS versions, is currently at version 10.

 

IIS 6.0 accounts for around 11.3% of all IIS installations, according to data from W3Techs, while IIS overall takes up 11.4% of the entire web server market.

 

Zero-day affects the IIS WebDAV service


According to the Chinese security experts, the IIS 6.0 zero-day affects the WebDAV service included by default in all IIS distributions. WebDAV is an extension of the HTTP protocol that simplifies sharing and content authoring.

 

Chinese researchers say that an attacker can craft and send a malicious PROPFIND request that contains an oversized IF header. When the IIS WebDAV controller reads this request, a buffer overflow occurs, allowing attackers to deliver and execute code on the targeted server.

 

Depending on the attacker's skills, this zero-day, tracked as CVE-2017-7269, can allow a hacker to take over Windows servers.

 

Turning off IIS WebDAV is recommended

 

The Chinese researchers say they've identified attacks with this vulnerability going back to July and August 2016.

 

Server owners should update IIS servers to a newer version, unaffected by this issue, or at least disable the WebDAV service if they can't upgrade servers for technical reasons.

 

An alternative technical breakdown of the CVE-2017-7269 zero-day is available on the Trend Micro blog.

 

Source

Link to comment
Share on other sites


  • Views 265
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...