Zero-day vulnerability in Microsoft IIS

Buffer overflow
CVE-2017-7269

There are reports that this vulnerability is being actively exploited in the wild against legacy installations of Microsoft IIS 6.0 in July and August 2016. At the time of publication the product was no longer supported by the vendor. However Microsoft has decided to release a security patch to address this issue on June 13, 2017.

Known malware:

EXPLODINGCAN

Vulnerability details

Advisory: SB2017032801 - Remote code execution in Microsoft IIS 6.0

Vulnerable component: Microsoft IIS

CVE-ID: CVE-2017-7269

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description:

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in ScStoragePathFromUrl() function in the WebDAV service when processing overly long HTTP header beginning with "If: <http://" in a PROPFIND request. A remote unauthenticated attacker can trigger buffer overflow and execute arbitrary code on the target system with privileges of the IIS service.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Note: this vulnerability is being actively exploited in the wild in July and August 2016.

Public Exploits:

Latest references in media:

- Coinhive stops digging, but cryptomining still dominates [2019-04-10 07:31:47]

- Coinhive stops digging, but cryptomining still dominates [2019-04-10 07:30:17]

- Cryptominers Still Top Threat In March Despite Coinhive Demise [2019-04-09 19:20:39]

- March 2019’s Most Wanted Malware: Cryptomining Still Dominates Despite Coinhive Closure [2019-04-09 16:42:59]

- March 2019's Most Wanted Malware: Coinhive Stops Digging, but Cryptomining Still Dominates [2019-04-09 15:35:58]

- Researchers unveil February 2019’s most wanted malware [2019-03-12 07:31:44]

- Researchers unveil February 2019’s most wanted malware [2019-03-12 07:30:15]

- February 2019's Most Wanted Malware: Coinhive Quits While Still at the Top [2019-03-11 15:41:48]

- February 2019’s Most Wanted Malware: Coinhive Quits While Still at the Top [2019-03-11 14:12:03]

- Cyber and Physical Convergence Opens Doors for Attackers: Report [2019-02-20 15:40:07]

- Most wanted malware in January 2019: A new threat speaks up [2019-02-14 07:21:35]

- Most wanted malware in January 2019: A new threat speaks up [2019-02-14 07:20:14]

- January 2019's Most Wanted Malware: A Significant New Threat Speaks Up [2019-02-13 15:41:51]

- January 2019’s Most Wanted Malware: A New Threat Speaks Up [2019-02-13 15:11:44]

- SmokeLoader malware downloader enters list of most wanted malware [2019-01-15 07:11:17]

- SmokeLoader malware downloader enters list of most wanted malware [2019-01-15 07:10:12]

- Cryptomining Continues to Be Top Malware Threat [2019-01-15 01:20:12]

- Crypto-Mining, Banking Trojans Top Malware Threats [2019-01-14 20:10:08]

- December 2018's Most Wanted Malware: Malware Downloader Climbs into Top 10 for First Time [2019-01-14 17:01:45]

- December 2018’s Most Wanted Malware: Where there’s SmokeLoader, there’s Fire [2019-01-14 16:51:47]

- November 2018: Most wanted malware exposed [2018-12-12 07:21:21]

- November 2018: Most wanted malware exposed [2018-12-12 07:20:13]

- November 2018's Most Wanted Malware: the Thanksgiving Day Botnet Emerges [2018-12-11 16:41:36]

- November 2018’s Most Wanted Malware: The Rise of the Thanksgiving Day Botnet [2018-12-11 15:01:58]

- FlawedAmmy: Dangerous RAT enteres most wanted malware list [2018-11-14 07:41:19]

- FlawedAmmy: Dangerous RAT enteres most wanted malware list [2018-11-14 07:40:12]

- October 2018’s Most Wanted Malware: For The First Time, Remote Access Trojan Reaches Top 10 Threats [2018-11-13 15:21:39]

- October 2018's Most Wanted Malware: For The First Time, Remote Access Trojan Reaches Global Threat Index's Top 10 [2018-11-13 10:21:26]

- Cryptomining attacks against Apple devices increase sharply [2018-10-16 07:41:06]

- Cryptomining attacks against Apple devices increase sharply [2018-10-16 07:40:08]

- Cryptojacking attacks against iPhone devices increase [2018-10-16 05:31:02]

- September 2018's Most Wanted Malware: Cryptomining Attacks Against Apple Devices Increase Sharply [2018-10-15 19:51:29]

- iPhone a Growing Target of Crypto-Mining Attacks [2018-10-15 19:10:06]

- September 2018’s Most Wanted Malware: Cryptomining Attacks Against Apple Devices On The Rise [2018-10-15 15:11:24]

- September 2018's Most Wanted Malware: Cryptomining Attacks Against Apple Devices Increase Sharply [2018-10-15 14:21:17]

- IIS Based Attacks Increased by 1.7 Million in Last Quarter of 2018 [2018-10-10 05:30:53]

- Check Point: August's Most Wanted Malware: Banking Trojan Attacks Turn up the Heat [2018-09-14 11:51:30]

- Banking Trojan attacks increase, large scale Ramnit campaign impacts organizations worldwide [2018-09-12 08:41:16]

- Banking Trojan attacks increase, large scale Ramnit campaign impacts organizations worldwide [2018-09-12 08:40:12]

- Hackers Increase Attacks Using Banking Trojans [2018-09-11 19:40:07]

- Banking trojan attacks turn up the heat in August 2018's most wanted malware [2018-09-11 15:51:27]

- August’s Most Wanted Malware: Banking Trojan Attacks Turn up the Heat [2018-09-11 14:01:27]

- Operation Red Signature Deliver's Malware to Targeting Organizations [2018-08-24 14:11:00]

- Operation Red Signature – South Korean Firms victims of a supply chain attack [2018-08-23 09:00:08]

- Supply Chain Attack Hits South Korean Firms [2018-08-22 16:40:12]

- Supply Chain Attack Hits Organizations In South Korea [2018-08-22 12:50:26]

- Supply Chain Attack Operation Red Signature Targets South Korean Organizations [2018-08-21 15:10:18]

- July's Most Wanted Malware: Attacks Targeting IoT and Networking Vulnerabilities on the Rise [2018-08-15 18:31:17]

- July’s Most Wanted Malware: Attacks Targeting IoT and Networking doubled since May 2018 [2018-08-15 15:41:12]

- June's Most Wanted Malware: Use of Banking Trojans Up 50% [2018-07-10 13:11:18]

- June’s Most Wanted Malware: Banking Trojans Up 50% Among Threat Actors [2018-07-05 20:21:07]

- Windows IIS 6.0 CVE-2017-7269 Is Targeted Again to Mine Electroneum [2018-06-28 18:22:05]

- Windows IIS 6.0 CVE-2017-7269 Is Targeted Again to Mine Electroneum [2018-06-24 00:17:52]

- April’s Most Wanted Malware: Cryptomining Malware Targeting Unpatched Server Vulnerabilities [2018-06-13 01:24:48]

- May’s Most Wanted Malware: Cryptomining Malware Digs into Nearly 40% of Organizations Globally [2018-06-13 01:24:48]

- Cryptomining malware digs into nearly 40% of organizations worldwide [2018-06-08 07:50:30]

- Crypto-Mining Malware Tops Most Wanted List [2018-05-14 20:41:56]

- Electroneum Cryptomining Targets Microsoft IIS 6.0 Vulnerability - Dark Reading [2018-05-10 15:15:43]

- Windows servers running IIS 6.0 targeted by crypto-mining hackers | TheINQUIRER [2018-04-16 15:06:47]

- Windows Servers Targeted for Cryptocurrency Mining via IIS Flaw [2018-04-16 11:08:59]

- Trustwave Web Application Firewall Signature Update 4.49 Now Available [2017-07-10 02:00:00]

- Starbucks Wi-Fi hijacked customers’ laptops to mine cryptocoins [2017-12-14 19:00:47]

- IT threat evolution Q3 2017. Statistics [2017-11-10 11:54:53]

- News in brief: Whole Foods holed; Facebook face lock; Mining malware [2017-10-02 19:23:12]

- Monero-Mining Campaign Takes the Easy Road to Cash Gains [2017-09-29 21:21:05]

- Monero Miner Infects Hundreds of Windows Servers [2017-09-29 14:54:17]

- Crooks hacked Microsoft servers to mine Monero, they earned $63K in 3 months [2017-09-29 11:30:18]

- Hackers Hijacking Microsoft IIS Servers to Mine Monero Cryptocurrency - Makes $63,000 In 3 Months [2017-09-28 18:41:10]

- Copy-Pasting Malware Dev Made $63,000 From Mining Monero on IIS Servers [2017-09-28 15:03:12]

- Third-Party Risks a Rising Cyber Threat, Research Shows [2017-09-28 14:30:11]

- Exploited Windows Flaws Affect Siemens Medical Imaging Products [2017-08-04 17:31:22]

- Following the Trail of BlackTech’s Cyber Espionage Campaigns [2017-06-22 14:50:07]

- Microsoft Patches Windows XP Again As Part of June Patch Tuesday [2017-06-20 08:20:13]

- Microsoft Patches Windows XP Again As Part of June Patch Tuesday [2017-06-15 02:20:07]

- Rare XP Patches Fix Three Remaining Leaked NSA Exploits [2017-06-14 15:00:48]

- Windows XP Receives Patches for More 'Shadow Brokers' Exploits [2017-06-14 11:10:36]

- Microsoft Issues Windows XP Security Updates for Previously Ignored NSA Hacking Tools [2017-06-13 22:51:13]

- Internet Information Services (IIS) 6.0 Vulnerability [2017-04-18 13:52:07]

- Microsoft’s New Look Patch Tuesday Fixes 46 Bugs [2017-04-12 12:00:37]

- Compared to last month’s Patch Tuesday, April will be a light drizzle [2017-04-10 08:00:04]

- Unpatched zero-day flaw in IIS 6.0 leaves users with limited options [2017-04-03 13:51:00]

- Week in review: IIS zero-day, iOS scareware, new issue of (IN)SECURE [2017-04-02 21:50:11]

- WONTFIX: No patch for Windows Server 2003 IIS critical bug – Microsoft [2017-03-31 02:50:02]

- Millions of websites affected by unpatched flaw in Microsoft IIS 6 web server [2017-03-30 17:20:03]

- Millions of websites affected by unpatched flaw in Microsoft IIS 6 web server [2017-03-30 17:00:09]

- Actively exploited zero-day in IIS 6.0 affects 60,000+ servers [2017-03-30 09:40:21]

- Publicly Attacked Microsoft IIS Zero Day Unlikely to be Patched [2017-03-29 21:21:15]

- Over 8.3 million live websites using IIS 6.0 are affected by a Zero-Day [2017-03-29 20:20:13]

- Millions of Websites Affected by IIS 6.0 Zero-Day [2017-03-29 19:01:20]

- New IIS 6.0 Zero-Day Exploited in Live Attacks Since July 2016 [2017-03-29 13:10:58]

- IIS 6.0 Vulnerability Leads to Code Execution [2017-03-29 11:30:31]

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.