Connect with us

Hi, what are you looking for?



Millions of Websites Affected by IIS 6.0 Zero-Day

More than 8 million websites could be exposed to a buffer overflow vulnerability in Internet Information Services (IIS) 6.0 that has been exploited in the wild since July 2016, researchers warn.

More than 8 million websites could be exposed to a buffer overflow vulnerability in Internet Information Services (IIS) 6.0 that has been exploited in the wild since July 2016, researchers warn.

The bug was found in the ScStoragePathFromUrl function of the Web Distributed Authoring and Versioning (WebDAV) service in Windows Server 2003 R2’s IIS 6.0. The issue, tracked as CVE-2017-7269, resides in the improper validation of an ‘IF’ header in a PROPFIND request and could allow an attacker to cause denial of service or to run arbitrary code.

Discovered by two researchers with the Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China, the vulnerability was exploited in the wild in July or August 2016. This week, the researchers published a proof-of-concept on GitHub and revealed that Microsoft has already acknowledged the bug.

The WebDAV extension of the HTTP protocol allows clients to perform remote Web content authoring operations, offering support for new HTTP methods, including COPY, LOCK, MKCOL, PROPFIND, and UNLOCK.

The exploit abuses the PROPFIND method and IF header. The former, Trend Micro’s Virendra Bisht explains, “retrieves properties defined on the resource identified by the Request-URI” and is supported by all WebDAV-Compliant resources, while the latter “handles the state token as well as the ETags.”

According to Bisht, “the vulnerability could be exploited with an overly large ‘IF’ header in the ‘PROPFIND’ request with at least two http resource in the IF header.” The researcher also explains that, while successful attacks could lead to remote code execution, unsuccessful attacks could sometimes lead to denial of service conditions.

Data from W3Techs reveals that Microsoft’s IIS is currently the third most popular web server technology out there, powering 11.4% of all websites. While newer versions of Microsoft’s technology are more popular, IIS 6.0 still accounts for 11.3% of the IIS-powered websites, which results in 1.3% of all websites out there being powered by this version.

According to BuiltWith, however, IIS powers 13.8% of all live websites, while the IIS 6.0 version is used by 2.3% of the entire Internet. This means that over 8.3 million live websites are using IIS 6.0, including tens of thousands of the most popular sites out there. However, the number is constantly dropping.

Advertisement. Scroll to continue reading.

Disabling the WebDAV service on the vulnerable IIS 6.0 installations can mitigate the risk posed by this vulnerability, Trend Micro’s researcher says. The flaw does not affect newer versions of IIS.

Because IIS 6.0 was included with Windows Server 2003, an old operating system version that is no longer supported by Microsoft, it’s unlikely that a patch will be released for this zero-day.

“Nobody should be running IIS 6 in 2017. This is unsupported and unsafe software and must be upgraded ASAP,” Craig Young, Prinicpal Security Researcher for Tripwire, told SecurityWeek. “All vulnerabilities in this software are going to be zero-day forever and while there may be mitigations for this attack, it is incredibly risky to run obsolete software on the Internet.”

“This issue does not affect currently supported versions. We continue to recommend that customers upgrade to our latest operating systems and benefit from robust, modern protection,” a Microsoft spokesperson told SecurityWeek in an emailed statement.

Related: OpenSSL Patches TLS Flaw Exposing Many HTTPS Servers

Related: Shadow Brokers Now Selling Windows, AV Exploits in ZeroNet Marketplace

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights