Lucene search

K
nessusThis script is Copyright (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.IIS6_WEBDAV_CVE-2017-7269_DIRECT.NASL
HistoryApr 20, 2017 - 12:00 a.m.

Microsoft Windows Server 2003 IIS 6.0 WebDAV PROPFIND Request Handling RCE (EXPLODINGCAN)

2017-04-2000:00:00
This script is Copyright (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
1823
windows server 2003
iis 6.0
webdav
buffer overflow
remote code execution
equation group
shadow brokers
exploit

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.973

Percentile

99.9%

The remote host is running Windows Server 2003 and Internet Information Services (IIS) 6.0 with WebDAV enabled. It is, therefore, affected by a buffer overflow condition in the IIS WebDAV service due to improper handling of the β€˜If’ header in a PROPFIND request. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause a denial of service condition or the execution of arbitrary code.

EXPLODINGCAN is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.

#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(99523);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/25");

  script_cve_id("CVE-2017-7269");
  script_bugtraq_id(97127);
  script_xref(name:"EDB-ID", value:"41738");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");

  script_name(english:"Microsoft Windows Server 2003 IIS 6.0 WebDAV PROPFIND Request Handling RCE (EXPLODINGCAN)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by a remote code execution
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote host is running Windows Server 2003 and Internet
Information Services (IIS) 6.0 with WebDAV enabled. It is, therefore,
affected by a buffer overflow condition in the IIS WebDAV
service due to improper handling of the 'If' header in a PROPFIND
request. An unauthenticated, remote attacker can exploit this, via a
specially crafted request, to cause a denial of service condition or
the execution of arbitrary code.

EXPLODINGCAN is one of multiple Equation Group vulnerabilities and
exploits disclosed on 2017/04/14 by a group known as the Shadow
Brokers.");
  # https://threatpost.com/publicly-attacked-microsoft-iis-zero-day-unlikely-to-be-patched/124641/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c9ce665b");
  # https://www.theregister.co.uk/2017/03/31/microsoft_wont_patch_server_2003/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ca2c1085");
  script_set_attribute(attribute:"see_also", value:"https://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py");
  # https://blog.0patch.com/2017/03/0patching-immortal-cve-2017-7269.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?91b46151");
  script_set_attribute(attribute:"solution", value:
"Windows Server 2003 and IIS 6.0 are no longer maintained or supported
by Microsoft. Upgrade to a currently supported version of Microsoft
Windows and IIS. Alternatively, disable either IIS or WebDAV.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-7269");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Microsoft IIS WebDav ScStoragePathFromUrl Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/20");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("os_fingerprint.nasl", "webdav_enabled.nasl");
  script_require_keys("www/iis");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("http.inc");
include("misc_func.inc");

get_kb_item_or_exit("www/iis");
port = get_http_port(default:80);

app = "Microsoft IIS";
banner = get_http_banner(port:port);

if (banner !~ "Server: Microsoft-IIS") audit(AUDIT_NOT_DETECT, app, port);
else banner = strstr(banner, "Server:"); # slice banner

# ensure WebDAV is running
get_kb_item_or_exit("www/"+port+"/webdav");

# get IIS version
pat = "^Server: Microsoft-IIS\/([\d]+(?:\.[\d]+)+)";
version = pregmatch(string:banner, pattern:pat);
if (isnull(version)) audit(AUDIT_UNKNOWN_APP_VER, app);
else version = version[1];

if (version != '6.0') audit(AUDIT_INST_VER_NOT_VULN, app, version);

# ensure OS is Windows Server 2003, including R2
os = get_kb_item("Host/OS");
if (isnull(os) || "Server 2003" >!< os) os = get_kb_item("SMB/NativeLanManager");
if (isnull(os)) audit(AUDIT_OS_NOT, "known");
if ("Server 2003" >!< os) audit(AUDIT_OS_NOT, "Windows Server 2003");


pay='<http://localhost/' + crap(data:'A', length:0x82) + '>';
pay+=' (Not <locktoken:write1>) ';

hdrs = make_array("If", pay, "Host", "localhost", "Content-Length", 0);
res = http_send_recv3(
  method        : "PROPFIND",
  item          : "/",
  port          : port,
  add_headers   : hdrs, 
  exit_on_fail  : TRUE
);

if (res[0] =~ "^HTTP/[0-9]\.[0-9] 500") 
{
  if ("Internal Server Error(exception)" >< res[2])
  {
    report = 'Nessus was to able to detect the issue with the following request: \n\n' + http_last_sent_request(); 
    security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
  }
  else
  {
    audit(AUDIT_RESP_BAD, port, "a PROPFIND request. Unexpected HTTP 500 response body"); 
  }
}
else if (res[0] =~ "^HTTP/[0-9]\.[0-9] 207") 
{
  audit(AUDIT_INST_VER_NOT_VULN, app, version);
}
else
{
  audit(AUDIT_RESP_BAD, port, "a PROPFIND request. Unexpected response status: " + chomp(res[0])); 
}

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.973

Percentile

99.9%