Skip to content
Nuclei Templates

Windows Server 2003 & IIS 6.0 - Remote Code Execution

ID: CVE-2017-7269

Severity: critical

Author: thomas_from_offensity,geeknik

Tags: cve2017,cve,rce,windows,iis,kev,microsoft

Description

Section titled “Description”

Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 contains a buffer overflow vulnerability in the ScStoragePathFromUrl function in the WebDAV service that could allow remote attackers to execute arbitrary code via a long header beginning with “If <http://” in a PROPFIND request.

YAML Source

Section titled “YAML Source”
id: CVE-2017-7269


info:
  name: Windows Server 2003 & IIS 6.0 - Remote Code Execution
  author: thomas_from_offensity,geeknik
  severity: critical
  description: |
    Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 contains a buffer overflow vulnerability in the ScStoragePathFromUrl function in the WebDAV service that could allow remote attackers to execute arbitrary code via a long header beginning with "If <http://" in a PROPFIND request.
  impact: |
    Allows remote attackers to execute arbitrary code on the affected system.
  remediation: |
    Upgrade to a supported version of Windows Server and IIS, or apply the necessary security patches.
  reference:
    - https://blog.0patch.com/2017/03/0patching-immortal-cve-2017-7269.html
    - https://github.com/danigargu/explodingcan/blob/master/explodingcan.py
    - https://nvd.nist.gov/vuln/detail/CVE-2017-7269
    - https://github.com/edwardz246003/IIS_exploit
    - http://www.securitytracker.com/id/1038168
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2017-7269
    cwe-id: CWE-119
    epss-score: 0.97121
    epss-percentile: 0.9977
    cpe: cpe:2.3:a:microsoft:internet_information_server:6.0:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: microsoft
    product: internet_information_server
    shodan-query: cpe:"cpe:2.3:a:microsoft:internet_information_server"
  tags: cve2017,cve,rce,windows,iis,kev,microsoft


http:
  - method: OPTIONS
    path:
      - "{{BaseURL}}"


    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - regex("<DAV:sql>", dasl)
          - regex("[\d]+(,\s+[\d]+)?", dav)
          - regex(".*?PROPFIND", public)
          - regex(".*?PROPFIND", allow)
        condition: or


      - type: word
        part: header
        words:
          - "IIS/6.0"


      - type: status
        status:
          - 200
# digest: 4b0a00483046022100b0df6eddf9b3c6eb633fbcb8c0b887cd25530478458529ff278562a9d0a30b00022100855e8cd5ea30c2afb83789fdef10ccefbb704d1a07ecd629c1de246c7407b60c:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2017/CVE-2017-7269.yaml"

View on Github