All Threat Intelligence posts

Multiple Assets Still Vulnerable to Archaic RCE Dubbed ‘ExplodingCan’

March 22, 2022
4
min read
Category: Vulnerability Intelligence Vulnerability Class: Remote Code Execution CVE ID: CVE-2017-7269 CVSS:3.0 Score: 9.8

Executive Summary

  • CloudSEK’s Customer Threat Research team discovered multiple assets on the internet that are still vulnerable to CVE-2017-7269, a remote code execution (RCE) vulnerability affecting IIS v6.0 (2003 R2).
  • This is a Buffer Overflow vulnerability present in the WebDAV service of the IIS v6.0 and can be exploited if the PROPFIND header is enabled.
  • This vulnerability is often referred to as Immortal CVE, as the issue is highlighted in a product that is already at its end-of-life (EOL) stage. Hence, Microsoft has never published an official patch.

Analysis

  • CloudSEK’s flagship digital risk monitoring platform XVigil runs routine application misconfiguration scans as a part of the infrastructure monitoring functionality. 
  • During one such scan, we found that there are multiple assets that are still vulnerable to an old flaw, dubbed ExplodingCan.

About the ExplodingCan Vulnerability  

  • Discovered in 2017, this critical vulnerability lets an attacker run arbitrary code on vulnerable systems, with user privileges, by exploiting a bug in Web Distributed Authoring and Versioning (WebDAV).
  • WebDAV is a set of extensions to the Hypertext Transfer Protocol (HTTP), which allows user agents to jointly author content directly in an HTTP web server, by facilitating concurrency control and namespace operations. This allows the Web to be viewed as a writeable, collaborative medium and not just as a read-only medium.
  • Once that has been established, the header PROPFIND is enabled on the target, and the ExplodingCan vulnerability can be confirmed. This can be done with the help of the following cURL command.
cURL command to confirm if PROPFIND header is enabled or not
cURL command to confirm if PROPFIND header is enabled or not
  • If the command returns HTTP response code 411, the target system is said to be vulnerable (as shown in the image above). 
  • Whereas, if the command returns the HTTP response codes 401, 503, or 403, it would indicate that the target is not vulnerable.

Information from OSINT

  • WannaCry malware had multiple 0-day vulnerabilities in its arsenal, making it one of the most disastrous malware campaigns to be recorded. ExplodingCan, CVE-2017-7269, was one of them.
  • This vulnerability was also known to have been exploited by Chinese threat actors to mine Electroneum cryptocoin. 
  • Based on the search engine Shodan, there are more than a million servers that are still potentially vulnerable to CVE-2017-7269. However, it is hard to ascertain the exact number, as the server should also have WebDAV service and the PROPFIND request header enabled.
Results on Shodan
Results on Shodan
  • This vulnerability has been constantly leveraged in malware and ransomware attacks. 
  • Threat actors can piggyback on this vulnerability to gain an initial foothold on target systems. Then the malware installs malicious code and takes over the server and even allows privilege escalation.
  • The availability of various free exploit codes on multiple open source platforms like GitHub,  makes it easier to exploit this vulnerability.

Impact & Mitigation

Impact Mitigation
Threat actors can run shellcodes to gain access to the remote server. Exploiting this vulnerability can result in potential ransomware attacks.It may also result in a complete takeover of the server. Threat actors can steal intellectual property and confidential data. It can also affect the company’s revenue and reputation. There are no workarounds for this vulnerability because the product was already at EOL when the vulnerability was released. Update to a newer Operating System and update the IIS server to the latest version. Please refer to the official Microsoft advisory.

References

Tags:
No items found.