CVE-2007-2897 in IIS
Summary
by MITRE
Microsoft Internet Information Services (IIS) 6.0 allows remote attackers to cause a denial of service (server instability or device hang), and possibly obtain sensitive information (device communication traffic); and might allow attackers with physical access to execute arbitrary code after connecting a data stream to a device COM port; via requests for a URI containing a / immediately before and after the name of a DOS device, as demonstrated by the /AUX/.aspx URI, which bypasses a blacklist for DOS device requests.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/08/2025
Microsoft Internet Information Services version 6.0 contains a critical vulnerability that enables remote attackers to execute multiple types of malicious activities through specifically crafted URI requests. This vulnerability stems from inadequate input validation and sanitization mechanisms within the IIS web server's handling of Uniform Resource Identifiers, particularly when processing requests that reference DOS device names. The flaw specifically manifests when a URI contains a forward slash character immediately before and after a DOS device name such as AUX, PRN, CON, LPT1, or COM1, creating patterns like /AUX/.aspx that bypass existing security blacklists designed to prevent access to these system resources.
The technical implementation of this vulnerability exploits the way IIS 6.0 processes file paths and device names, allowing attackers to manipulate the request parsing logic to access low-level system resources that should normally be restricted. When a request is made for a URI pattern such as /AUX/.aspx, the web server's path resolution mechanism incorrectly interprets the device name reference, potentially causing the server to attempt communication with the underlying operating system device drivers. This misinterpretation creates multiple attack vectors that can be leveraged for different malicious purposes, including denial of service conditions that can destabilize the web server or cause complete system hangs.
The operational impact of this vulnerability extends beyond simple denial of service scenarios to encompass potential information disclosure and arbitrary code execution capabilities. Remote attackers can exploit this weakness to gain access to sensitive communication traffic that flows through the device ports, potentially exposing confidential data transmitted over these channels. In scenarios where attackers have physical access to the system, the vulnerability can be escalated to achieve arbitrary code execution by connecting data streams to device COM ports, effectively allowing attackers to execute malicious code with the privileges of the web server process. This represents a significant security risk as it can lead to complete system compromise and unauthorized access to sensitive resources.
This vulnerability aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, and CWE-122, which covers heap-based buffer overflow conditions. The attack pattern follows techniques documented in the MITRE ATT&CK framework under T1190 for exploitation of remote services and T1059 for command and scripting interpreter usage. Organizations should implement immediate mitigations including patching the IIS 6.0 server with the appropriate Microsoft security updates, implementing strict URI validation controls, and configuring network access controls to restrict access to potentially vulnerable endpoints. Additionally, network segmentation and monitoring solutions should be deployed to detect anomalous URI patterns that might indicate exploitation attempts, while system administrators should regularly review and audit web server configurations to ensure that device name restrictions remain properly enforced.