Vulnerability in WebDAV Service Within Internet Information Services (IIS) 6.0 and Microsoft Windows Server 2003

ITS Advisory Number: 
2017-029
Date(s) Issued: 
Wednesday, March 29, 2017
Subject: 
Vulnerability in WebDAV Service Within Internet Information Services (IIS) 6.0 and Microsoft Windows Server 2003
Overview: 

Microsoft Internet Information Services (IIS) 6.0 is vulnerable to a zero-day Buffer Overflow vulnerability due to an improper validation of an 'IF' header in a PROPFIND request. A remote attacker could exploit this vulnerability in the IIS WebDAV Component with a crafted request using PROPFIND method. Successful exploitation could result in a denial of service condition or arbitrary code execution in the context of the user running the application.

Systems Affected: 
  • Microsoft Windows Server: 2003 R2

  • Microsoft Windows Internet Information Services (IIS) version 6.0

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
Low
Description: 

Microsoft Internet Information Services (IIS) 6.0 is vulnerable to a zero-day Buffer Overflow vulnerability due to an improper validation of an 'IF' header in a PROPFIND request. The vulnerability is as follows:

A remote attacker could exploit this vulnerability in the IIS WebDAV Component with a crafted request using PROPFIND method. Successful exploitation could result in denial of service condition or  arbitrary code execution in the context of the user running the application. According to the researchers who found this flaw, this vulnerability was exploited in the wild in July or August 2016. It was disclosed to the public on March 27. Other threat actors are now in the stages of creating malicious code based on the original proof-of-concept (PoC) code. (CVE-2017-7269)

Web Distributed Authoring and Versioning (WebDAV) is an extension of the HTTP protocol that allows clients to perform remote Web content authoring operations. WebDAV extends the set of standard HTTP methods and headers allowed for the HTTP request. Few example of WebDAV methods are COPY, LOCK, MKCOL, PROPFIND, UNLOCK etc.

This vulnerability is exploited using the PROPFIND method and IF header. The PROPFIND method retrieves properties defined on the resource identified by the Request-URI. All the WebDAV-Compliant resources must support the PROPFIND method.

The IF header handles the state token as well as the ETags. It makes the request conditional by supplying a series of state lists with conditions that match tokens and ETags to specific resource. If all states present in the IF header fail, the request fails with 412 (Precondition Failed) status.

IIS 6.0 was included with Windows Server 2003; unfortunately, Microsoft is not supporting and will not be patching the old OS version anymore. To mitigate the risk, disabling the WebDAV service on the vulnerable IIS 6.0 installation is recommended. Newer versions of Windows Server shipped with newer versions of IIS are not affected by this vulnerability.

Actions: 
  • Upgrade to a newer supported version of Microsoft Windows Server.

  • Disable WebDav service on IIS 6.0 systems.