Re: significant IIS 6 vulnerability with published exploit, some Alaskan impact


Thanks Royce. It is a good day when none of my managed domains show up on your hit list :-D

On Thu, Mar 30, 2017, 7:03 AM Royce Williams <royce@...> wrote:
The vulnerability:

Why it matters:

This one is now very unlikely to receive a patch from Microsoft. It also now has a public exploit. It is likely to be weaponized (or even turn into a worm) soon, as the bar to recreating the exploit appears to be low.


Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.

Alaskan exposure:

At least 109 Alaskan hosts in 83 unique domains appear to still be running IIS 6, including some pretty familiar names.  

Here is the list:

I've also made a list of just the domains by frequency count, sorted by domain, for easy visual checking:

Let me know if you can't retrieve them. 

I've tried to restrict these lists to known Alaskan networks, but it's trivial obscurity. IIS version is publicly discoverable, even if you suppress the web server's advertisement of its version. Tools like Shodan allow anyone to query for IIS version and geography, so this list is trivially recreate-able. And exploit is likely to be so easy that it can be tried against every server, regardless of version. 

Call to action:

Advise your clients/stakeholders, mitigate, and/or forward to interested parties accordingly. 

If you have a WAF in front of your web server, ensure that it has a signature for this. If you don't have a WAF, consider putting one in front of the server. Something like Cloudfront can be spun up pretty quickly.



JP (Jesse Perry)

voice/txt: 907-748-2200
email: jp@...

Join { to automatically receive all group messages.