Lucene search

ProjectDiscoveryNUCLEI:CVE-2017-7269

HistoryFeb 24, 2021 - 1:29 p.m.

Windows Server 2003 & IIS 6.0 - Remote Code Execution

2021-02-2413:29:23

ProjectDiscovery

github.com

cve-2017-7269

remote code execution

windows server 2003

iis 6.0

buffer overflow

webdav

microsoft

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.973

Percentile

99.9%

JSON

Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 contains a buffer overflow vulnerability in the ScStoragePathFromUrl function in the WebDAV service that could allow remote attackers to execute arbitrary code via a long header beginning with "If &lt;http://" in a PROPFIND request.

id: CVE-2017-7269

info:
  name: Windows Server 2003 & IIS 6.0 - Remote Code Execution
  author: thomas_from_offensity,geeknik
  severity: critical
  description: |
    Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 contains a buffer overflow vulnerability in the ScStoragePathFromUrl function in the WebDAV service that could allow remote attackers to execute arbitrary code via a long header beginning with "If <http://" in a PROPFIND request.
  impact: |
    Allows remote attackers to execute arbitrary code on the affected system.
  remediation: |
    Upgrade to a supported version of Windows Server and IIS, or apply the necessary security patches.
  reference:
    - https://blog.0patch.com/2017/03/0patching-immortal-cve-2017-7269.html
    - https://github.com/danigargu/explodingcan/blob/master/explodingcan.py
    - https://nvd.nist.gov/vuln/detail/CVE-2017-7269
    - https://github.com/edwardz246003/IIS_exploit
    - http://www.securitytracker.com/id/1038168
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2017-7269
    cwe-id: CWE-119
    epss-score: 0.97121
    epss-percentile: 0.9977
    cpe: cpe:2.3:a:microsoft:internet_information_server:6.0:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: microsoft
    product: internet_information_server
    shodan-query: cpe:"cpe:2.3:a:microsoft:internet_information_server"
  tags: cve2017,cve,rce,windows,iis,kev,microsoft

http:
  - method: OPTIONS
    path:
      - "{{BaseURL}}"

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - regex("<DAV:sql>", dasl)
          - regex("[\d]+(,\s+[\d]+)?", dav)
          - regex(".*?PROPFIND", public)
          - regex(".*?PROPFIND", allow)
        condition: or

      - type: word
        part: header
        words:
          - "IIS/6.0"

      - type: status
        status:
          - 200
# digest: 490a004630440220495b1fa854301eccccabfffc0d5758e79ca9d470d6c9daeed43c960791f9e12d022068e5219d420072a580169f3a2124207ad3774a71cbd02d18543af151bc886452:922c64590222798bb761d5b6d8e72950