Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!

Author Topic: ET WEB_SERVER Microsoft IIS Remote Code Execution (CVE-2017-7269)  (Read 2432 times)

0 Members and 1 Guest are viewing this topic.

nidhinjo

  • Guest
A vulnerability exists in IIS when WebDAV improperly handles objects in memory, which could allow an attacker to run arbitrary code on the user’s system. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.


To exploit this vulnerability, an attacker would have to send a specially crafted HTTP request to the affected system.The update addresses the vulnerability by changing how WebDAV handles objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list. A remote user can send a WebDAV PROPFIND request with a specially crafted 'If' header to trigger a buffer overflow in the ScStoragePathFromUrl() function and execute arbitrary code on the target system. The code will run with the privileges of the target service.

Preface

CVE-2017-7269 IIS 6.0 in the presence of a stack overflow vulnerability in IIS6. 0 processing PROPFIND command when, due to the length of the url without the effective length of the control and inspection lead to the implementation of memcpy on a virtual path configuration when the trigger stack overflow, this vulnerability can lead to remote code execution.

Currently on github there is one in windows server 2003 r2 on the stable use of the exploit, this exp the current implementation of the function is playing the calculator, and use the shellcode method is the alpha shellcode, this is due to the url in memory to the width of the bytes stored in the form, and which contains some of the badchar, making it impossible to directly use the shellcode code execution, and require first order alpha shellcode method, in ascii form to the width of the byte write to memory, and then through a small section after decrypting the execution code.

github address: https://github.com/edwardz246003/IIS_exploit

This vulnerability is in fact the principle is very simple, but its use method is very interesting, I’m in the start when debugging a lot of stack overflow and exp, but most are covered by a ret, overwrite the seh and other methods to complete the attack, until I saw this exploit, feeling very artistic. But this vulnerability is also present its limitations, such as for aslr seems to have no use of the surface, and therefore in a higher version of windows server in use seems to be very difficult, the windows server 2003 r2 without aslr protection.

CVSS Scores & Vulnerability Types

Code: [Select]
CVSS Score                    : 10.0
Confidentiality Impact     :Complete (There is total information disclosure, resulting in all system files being revealed.)
Integrity Impact               : Complete (There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised.)

Availability Impact           :Complete (There is a total shutdown of the affected resource. The attacker can render the resource completely unavailable.)

Access Complexity          :Low (Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. )
Authentication                 :Not required (Authentication is not required to exploit the vulnerability.)
Gained Access               : None
Vulnerability Type(s)        :Execute CodeOverflow   
CWE ID                          : 119
Mitigating Factors           : Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds                  : Microsoft has not identified any workarounds for this vulnerability.

Vulnerability Conditions

Vulnerability is valid if product versions listed below are used TOGETHER WITH(AND)

Microsoft IIS 6.0 + Microsoft Windows Server 2003 R2