Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

IIS 6.0 WebDAV Buffer Overflow

Nir_Zigler_7297
Historic F5 Account

‎29-Mar-2017 07:49 - edited ‎23-Jun-2022 09:31

Today we are reminded that old software can include new and critical security findings.

Microsoft IIS 6.0 on Windows Server 2003 R2 is vulnerable to buffer overflow which leads to remote code execution. This is due to inproper validation of the If: header which is used in WebDAV. This issue is covered by CVE-2017-7269.

The vulnerability is exploited by sending a malicious PROPFIND method to the vulnerable server. By default, this method is disabled on ASM. However, it is crucial for the proper function of WebDAV, so policies which protect this kind of application have probably enabled it.

IIS 6.0

Despite being a 15 year old product which is not officially supported by Microsoft anymore - The web still uses IIS 6.0 in very large numbers.

A search in Shodan shows that over 600k servers are still live: https://www.shodan.io/search?query=iis+6.0

Mitigation with attack signatures

ASM users are encouraged to use the following attack signature to detect exploitation attempts for this vulnerability:

content:"PROPFIND"; depth:8; headercontent:"If: <http://"; pcre:"/^If: <http:\/\/[^>]*?[\x80-\xFF]{5}/Hm";

This signature is due to be included in the next ASU, being released early April.

Labels:
0 Kudos
Version history
Last update:
‎23-Jun-2022 09:31
Updated by:
Copyright © 2023 Khoros, LLC