IIS Zero Day Vulnerability Will Never Be Patched

Microsoft Internet Information Services 6.0

A vulnerability found in Microsoft’s Internet Information Services (IIS) web server technology has been publicly detailed along with proof of concept exploit code. It is understood to have been under attack since July 2016. The flaw itself is found on IIS version 6.0. It reached end of life in July 2015 meaning it will likely not be patched which will leave all remaining servers that are yet to upgrade with the potential of a complete system compromise.

The vulnerability is a buffer overflow in the ScStoragePathFromUrl function in the WebDAV service for IIS 6. The flaw itself is found within the WebDAV service, an extension to the [http] protocol designed to simplify sharing and content authoring.

An attack launched against a vulnerable server can cause a denial of service event but it could also result in a full remote code execution exploit.. With many IIS deployments running on a full Windows server installation often hosting other services for internal services, a break of this nature is capable of allowing a threat actor to gain a serious foothold in the network.

• Either upgrade IIS or disable WebDAV as soon as possible (see below how to disable WebDAV in IIS6)
• Conduct scans of your own address space either internally or with the use of a third party to discover any previously forgotten deployments that may be left vulnerable.
• Where vulnerable deployment have been available from the internet, access logs and other log data source should be analysed for unusual activity that may indicate a previous compromise.

How To Disable WebDAV In Microsoft IIS6