As many are already aware the critical IIS6.0 WebDAV remote code execution vulnerability CVE-2017-7269 was published a few days ago along with a POC exploit which is now been actively weaponised. With some news reports claiming “millions” of “websites” potentially at risk world wide.
What does Australia’s potential exposure look like?
Censys.io returns 9,761 internet facing servers in Australia running IIS 6.0
An equivalent query using Shodan.io returns 7,767 servers running IIS 6.0.Admittedly slightly lower but close enough for the purposes of this “back of napkin assessment”.
Now if we consider that this vulnerability realistically requires WebDAV to be enabled and that IIS6.0 had WebDAV disabled by default then this should reduce the list significantly.
A simple method to test if WebDAV is enabled on a server is by simply making HTTP request with the PROPFIND header. Anything that returns “411 Length Required” generally means WebDAV is enabled and the server is likely vulnerable.
$ curl -ik -X PROPFIND https://XX.XX.XX.XX:YY HTTP/1.1 411 Length Required # Likely Vulnerable Connection: close Date: Sun, 01 Apr 2017 01:57:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html Content-Length: 50
So we can take in this case the Shodan AU IIS6.0 dataset (purely because we’ve previously written a parser for it and they where close enough to the Censys.io results) and script a PROPFIND query against all listed ip’s.
End result at least 734 servers in Australia are potentially vulnerable remote code execution via CVE-2017-7269.
These results align with Iraklis global sampling, which averaged around 10% of IIS6.0 servers having WebDAV enabled.
Disclaimer:
This was a “back of napkin” assessment, WebDAV can be enabled per directory or per VHOST which is not accounted with the utilised fingerprinting methods, would need to implement additional site discovery and crawling/ directory brute-forcing for a more accurate assessment.
Server 2003 /IIS6.0 was “end-of-life” by Microsoft in July 2015. Anybody still running Server 2003 IIS web server is urged to upgrade to a Non-EOL version.