Publicly Attacked Microsoft IIS Zero Day Unlikely to be Patched

Microsoft is unlikely to patch a zero-day vulnerability in an older version of its Internet Information Services (IIS) webserver that’s been publicly attacked since last July and August.

Two researchers from the South China University of Technology in Guangzhou posted a proof-of-concept exploit for the zero-day three days ago to Github. The vulnerability is a buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in IIS, version 6.0. IIS 6.0 was first shipped with Windows Server 2003, support for which was cut off in July 2015.

“This issue (CVE-2017-7269) does not affect currently supported versions. We continue to recommend that customers upgrade to our latest operating systems and benefit from robust, modern protection,” a Microsoft spokesperson said.

The researchers, Zhiniang Peng and Chen Wu, said successful exploits allow a remote attacker to execute code via a long header beginning with “If: <http://” in a PROPFIND request.

According to Microsoft, a WebDAVPROPFIND Method “retrieves properties for a resource identified by the request Uniform Resource Identifier (URI). The PROPFIND Method can be used on collection and property resources.”

IIS remains a relatively popular webserver; recent statistics indicate it stands up 11.4 percent of websites, third in market share behind Apache (50.2 percent) and Nginx (33.1 percent). Of those sites running IIS, 87.2 percent are on either IIS 7 or IIS 8, with 11.3 percent of those sites running version 6.

That’s still a hefty number of websites still on unsupported versions of the software, and now with exploit code public, it’s likely attackers will begin developing exploits targeting vulnerable sites.

The best mitigation for IIS 6 installations would be to disable WebDAV. WebDAV is short for the World Wide Web Distributed Authoring and Versioning standard that describes HTTP extensions that allows remote web clients to collaborate, write and edit content on a server.