Overview
A buffer overflow vulnerability in Microsoft Internet Information Services (IIS) 6.0 WebDAV service allows remote attackers to execute arbitrary code by sending a crafted PROPFIND request with an overly long header beginning with 'If <http://'. This vulnerability was actively exploited in the wild and is particularly critical for Windows Server 2003 R2 systems. The vulnerability was disclosed on March 27, 2017. CISA has identified CVE-2017-7269 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
The WebDAV service in Microsoft IIS 6.0 fails to properly validate the length of HTTP request headers, specifically the 'If' header in PROPFIND requests. When a maliciously crafted request containing an excessively long header value prefixed with 'If <http://' is sent to a vulnerable server, it triggers a stack-based buffer overflow in the WebDAV service memory space. This overflow can overwrite the return address on the stack, allowing an attacker to redirect execution to arbitrary code.
The vulnerability is classified as CWE-674 (Uncontrolled Recursion) , CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) andCWE-121 (Stack-based Buffer Overflow) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.
Impact
Successful exploitation allows an unauthenticated remote attacker to execute arbitrary code with the privileges of the IIS application pool identity (typically Local System or Network Service). This enables complete compromise of the affected server, including unauthorized access to sensitive data, modification of system files, installation of malware, and disruption of service availability. The vulnerability was actively exploited by ransomware operators and advanced persistent threat (APT) actors in the wild.
Mitigation and workarounds
Microsoft released security update MS17-018 (KB4012217) on April 11, 2017. Apply the security patch immediately via Windows Update or download directly from Microsoft Security Updates. For systems that cannot be patched immediately, disable WebDAV service or restrict access to it. The following versions include the necessary fixes: Windows Server 2003 R2 with KB4012217 or later, Windows Server 2003 with KB4012217 or later.
As temporary workarounds: disable webdav service if not required by disabling the webdav extension in iis manager or stopping the webdav service (world wide web publishing service).; restrict network access to the iis server using firewall rules, allowing only trusted ip addresses to connect to http/https ports.; implement network-based intrusion detection/prevention systems (ids/ips) configured to detect and block malicious propfind requests with overly long 'if' headers., and use web application firewalls (waf) configured with rules to detect and block webdav propfind requests containing suspicious 'if' header patterns..
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
