Multiple Assets Still Vulnerable to Archaic RCE Dubbed ‘ExplodingCan’

CloudSEK’s Customer Threat Research team discovered multiple assets on the internet that are still vulnerable to CVE-2017-7269, a remote code execution (RCE) vulnerability affecting IIS v6.0 - 2003 R2.
Updated on
April 19, 2023
Published on
March 22, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Category: Vulnerability IntelligenceVulnerability Class: Remote Code ExecutionCVE ID: CVE-2017-7269CVSS:3.0 Score: 9.8

Executive Summary

  • CloudSEK’s Customer Threat Research team discovered multiple assets on the internet that are still vulnerable to CVE-2017-7269, a remote code execution (RCE) vulnerability affecting IIS v6.0 (2003 R2).
  • This is a Buffer Overflow vulnerability present in the WebDAV service of the IIS v6.0 and can be exploited if the PROPFIND header is enabled.
  • This vulnerability is often referred to as Immortal CVE, as the issue is highlighted in a product that is already at its end-of-life (EOL) stage. Hence, Microsoft has never published an official patch.

Analysis

  • CloudSEK’s flagship digital risk monitoring platform XVigil runs routine application misconfiguration scans as a part of the infrastructure monitoring functionality. 
  • During one such scan, we found that there are multiple assets that are still vulnerable to an old flaw, dubbed ExplodingCan.

About the ExplodingCan Vulnerability  

  • Discovered in 2017, this critical vulnerability lets an attacker run arbitrary code on vulnerable systems, with user privileges, by exploiting a bug in Web Distributed Authoring and Versioning (WebDAV).
  • WebDAV is a set of extensions to the Hypertext Transfer Protocol (HTTP), which allows user agents to jointly author content directly in an HTTP web server, by facilitating concurrency control and namespace operations. This allows the Web to be viewed as a writeable, collaborative medium and not just as a read-only medium.
  • Once that has been established, the header PROPFIND is enabled on the target, and the ExplodingCan vulnerability can be confirmed. This can be done with the help of the following cURL command.
cURL command to confirm if PROPFIND header is enabled or not
cURL command to confirm if PROPFIND header is enabled or not
  • If the command returns HTTP response code 411, the target system is said to be vulnerable (as shown in the image above). 
  • Whereas, if the command returns the HTTP response codes 401, 503, or 403, it would indicate that the target is not vulnerable.

Information from OSINT

  • WannaCry malware had multiple 0-day vulnerabilities in its arsenal, making it one of the most disastrous malware campaigns to be recorded. ExplodingCan, CVE-2017-7269, was one of them.
  • This vulnerability was also known to have been exploited by Chinese threat actors to mine Electroneum cryptocoin. 
  • Based on the search engine Shodan, there are more than a million servers that are still potentially vulnerable to CVE-2017-7269. However, it is hard to ascertain the exact number, as the server should also have WebDAV service and the PROPFIND request header enabled.
Results on Shodan
Results on Shodan
  • This vulnerability has been constantly leveraged in malware and ransomware attacks. 
  • Threat actors can piggyback on this vulnerability to gain an initial foothold on target systems. Then the malware installs malicious code and takes over the server and even allows privilege escalation.
  • The availability of various free exploit codes on multiple open source platforms like GitHub,  makes it easier to exploit this vulnerability.

Impact & Mitigation

ImpactMitigation
Threat actors can run shellcodes to gain access to the remote server. Exploiting this vulnerability can result in potential ransomware attacks.It may also result in a complete takeover of the server. Threat actors can steal intellectual property and confidential data. It can also affect the company's revenue and reputation.There are no workarounds for this vulnerability because the product was already at EOL when the vulnerability was released. Update to a newer Operating System and update the IIS server to the latest version. Please refer to the official Microsoft advisory.

References

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations