eSentire has detected active exploit attempts for CVE-2017-7269 (IIS 6.0 Buffer Overflow Vulnerability). This exploit allows for remote code execution among affected devices.  Currently, a proof-of-concept version of the exploit is publicly available to attackers that takes advantage of buffer overflow in the WebDAV component of IIS. Due to the publication of exploit code for this vulnerability, eSentire expects the frequency of exploit attempts may intensify in the coming days.

The WebDAV extension is disabled in a default install of IIS 6.0 and must be explicitly enabled in order for the server to be vulnerable.  Exploitation attempts can be identified by looking for HTTP requests using the PROPFIND method and containing an IF header with shellcode in it.  The vulnerability has not been detected in other versions of Internet Information Services.  It was reportedly being exploited as far back as Summer 2016 but was only disclosed to the public on March 27, 2017.

 

Recommended Actions:

  • Devices running IIS 6.0 with WebDAV enabled should be checked for signs of compromise.
  • The WebDAV extension should be disabled and/or the IIS server software upgraded to a more recent version.
  • Be aware that Microsoft no longer supports this software and no official patches will be made available. 

 

References:

https://nvd.nist.gov/vuln/detail/CVE-2017-7269

http://blog.trendmicro.com/trendlabs-security-intelligence/iis-6-0-vulnerability-leads-code-execution/

See the latest security advisories

Articles and reports written by eSentire staff and our Threat Intelligence Research Group.

Ready to get started?
We're here to help.

Get Started
Reach out to schedule a meeting and learn more about our Managed Detection and Response, Risk Advisory and Managed Prevention capabilities.