Microsoft IIS 6.0 on Windows Server 2003 WebDAV ScStoragePathFromUrl Long Header Immortal/ExploidingCan memory corruption
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 8.9 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as critical, has been found in Microsoft IIS 6.0 on Windows Server 2003. Affected by this issue is the function ScStoragePathFromUrl of the component WebDAV. The manipulation as part of Long Header leads to memory corruption (Immortal/ExploidingCan).
This vulnerability is documented as CVE-2017-7269. The attack can be initiated remotely. Additionally, an exploit exists. This vulnerability has a historic impact because of its background and how it was received.
It is advisable to upgrade the affected component.
Details
A vulnerability, which was classified as critical, has been found in Microsoft IIS 6.0 on Windows Server 2003 (Web Server). This issue affects the function ScStoragePathFromUrl of the component WebDAV. The manipulation as part of a Long Header leads to a memory corruption vulnerability (Immortal/ExploidingCan). Using CWE to declare the problem leads to CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
The bug was discovered 07/01/2016. The weakness was released 03/27/2017 by Zhiniang Peng and Chen Wu as confirmed git commit (GitHub Repository). The advisory is shared at github.com. The public release happened without involvement of Microsoft. The identification of this vulnerability is CVE-2017-7269 since 03/26/2017. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details as well as a public exploit are known. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 02/05/2025). Due to its background and reception, this vulnerability has a historic impact.
A public exploit has been developed by Zhiniang Peng/Chen Wu (zcgonvh) in Python and been published 4 days after the advisory. The exploit is available at github.com. It is declared as attacked. The vulnerability was handled as a non-public zero-day exploit for at least 268 days. During that time the estimated underground price was around $25k-$100k. The vulnerability scanner Nessus provides a plugin with the ID 99281 (Microsoft Windows Server 2003 R2 IIS 6.0 WebDAV PROPFIND Request Handling RCE (EXPLODINGCAN)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Web Servers and running in the context r. The commercial vulnerability scanner Qualys is able to test this issue with plugin 87284 (Microsoft Internet Information Services 6.0 Buffer Overflow Vulnerability - Shadow Brokers (EXPLODINGCAN)). It appears that cybercriminals are looking for this issue to compromise the machines as soon as possible. Further investigation shows that most hosts are then used as zombie nodes within a DDoS network. It is expected that politically motivated attackers are using the possibilities soon to gain more reachability.The CISA Known Exploited Vulnerabilities Catalog lists this issue since 11/03/2021 with a due date of 05/03/2022:
Apply updates per vendor instructions.Upgrading to version 7.0 eliminates this vulnerability. MS IIS 6.0 is end-of-life and will not receive an official patch.
The vulnerability is also documented in the databases at Exploit-DB (41738), Zero-Day.cz (440), Tenable (99281), SecurityFocus (BID 97127†) and SecurityTracker (ID 1038168†). helpnetsecurity.com is providing further details. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.microsoft.com/
CPE 2.3
CPE 2.2
Video
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 9.0VulDB Meta Temp Score: 8.9
VulDB Base Score: 7.3
VulDB Temp Score: 7.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 9.8
NVD Vector: 🔍
CNA Base Score: 9.8
CNA Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Name: Immortal/ExploidingCanClass: Memory corruption / Immortal/ExploidingCan
CWE: CWE-119
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Attacked
Author: Zhiniang Peng/Chen Wu (zcgonvh)
Programming Language: 🔍
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
KEV Added: 🔍
KEV Due: 🔍
KEV Remediation: 🔍
KEV Ransomware: 🔍
KEV Notice: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 99281
Nessus Name: Microsoft Windows Server 2003 R2 IIS 6.0 WebDAV PROPFIND Request Handling RCE (EXPLODINGCAN)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 103485
OpenVAS Name: Microsoft Internet Information Services Buffer Overflow Vulnerability
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
MetaSploit ID: iis_webdav_scstoragepathfromurl.rb
MetaSploit Name: Microsoft IIS WebDav ScStoragePathFromUrl Overflow
MetaSploit File: 🔍
Exploit-DB: 🔍
Zero-Day.cz: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Exploit Delay Time: 🔍
Upgrade: IIS 7.0
Patch: github.com
Snort Message: WEB-MISC IIS v6 WebDAV ScStoragePathFromUrl overflow attempt
Snort Class: 🔍
Snort Pattern: 🔍
Suricata ID: 2024107
Suricata Class: 🔍
Suricata Message: 🔍
Timeline
07/01/2016 🔍03/26/2017 🔍
03/26/2017 🔍
03/26/2017 🔍
03/27/2017 🔍
03/27/2017 🔍
03/27/2017 🔍
03/31/2017 🔍
03/31/2017 🔍
04/11/2017 🔍
02/05/2025 🔍
Sources
Vendor: microsoft.comAdvisory: github.com
Researcher: Zhiniang Peng, Chen Wu
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2017-7269 (🔍)
GCVE (CVE): GCVE-0-2017-7269
GCVE (VulDB): GCVE-100-98561
OVAL: 🔍
SecurityFocus: 97127 - Microsoft Internet Information Services CVE-2017-7269 Buffer Overflow Vulnerability
SecurityTracker: 1038168
scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍
Entry
Created: 03/27/2017 16:28Updated: 02/05/2025 01:01
Changes: 03/27/2017 16:28 (115), 12/29/2019 19:47 (1), 11/15/2022 12:32 (4), 04/19/2024 10:45 (23), 07/06/2024 09:19 (2), 07/25/2024 17:46 (1), 09/09/2024 22:29 (1), 02/05/2025 01:01 (11)
Complete: 🔍
Cache ID: 216:8AC:103
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.