Millions of websites affected by unpatched flaw in Microsoft IIS 6 web server
A proof-of-concept exploit has been published for an unpatched vulnerability in Microsoft Internet Information Services 6.0, a version of the web server that's no longer supported but still widely used.
The exploit allows attackers to execute malicious code on Windows servers running IIS 6.0 with the privileges of the user running the application. Extended support for this version of IIS ended in July 2015 along with support for its parent product, Windows Server 2003.
Even so, independent web server surveys suggest that IIS 6.0 still powers millions of public websites. In addition, many companies might still run web applications on Windows Server 2003 and IIS 6.0 inside their corporate networks, so this vulnerability could help attackers perform lateral movement if they access such networks through other means.
"Other threat actors are now in the stages of creating malicious code based on the original proof-of-concept (PoC) code," researchers from Trend Micro said in a blog post Wednesday.
According to the exploit's authors, the vulnerability is a buffer overflow in the ScStoragePathFromUrl function of the IIS 6.0 WebDAV service. It can be exploited through a specially crafted PROPFIND request.
Web Distributed Authoring and Versioning (WebDAV) is an extension of the standard Hypertext Transfer Protocol (HTTP) that allows users to create, change and move documents on a server. The extension supports several request methods, including PROPFIND, which is used to retrieve the properties of a resource.
There's evidence that this IIS vulnerability has been known by a limited number of attackers since at least July or August of last year. However, the publishing earlier this week of an exploit for it on GitHub makes it accessible to a larger number of hackers.
Since Microsoft won't patch this vulnerability, one possible mitigation is to disable the WebDAV service on IIS 6.0 installations. Security firm ACROS Security has also developed a free "micropatch" for this vulnerability -- an unofficial patch that can be applied without restarting the affected server or even IIS process.