A new zero-day vulnerability targeting Microsoft Internet Information Services 6.0 has been published on GitHub. The proof-of-concept exploit allows hackers to execute malicious attacks on any Windows server running IIS 6.0.
Admittedly, Microsoft openly stopped supporting Internet Information Service 6.0 in July 2015. This cut off coincided with the end of support for Windows Server 2003. The company, as always, advised users still on IIS 6.0 to upgrade to newer versions.
However, it is still estimated that millions of websites still use the outdated software. Windows Server 2003 still has a sizeable footprint, meaning IIS 6.0 is still on corporate networks. Researchers from Trend Micro says the vulnerability has probably been known to attackers since last summer.
Until now, the number of hackers who knew about it was limited. That will undoubtedly grow now that it has been published on GitHub.
“Other threat actors are now in the stages of creating malicious code based on the original proof-of-concept (PoC) code,” Trend Micro said in a blog post.
The vulnerability is a buffer overflow in the ScStoragePathFromUrl function of the IIS 6.0 WebDAV service. Microsoft is very unlikely to send out a fix for this considering Internet information Service 6.0 support has ended.
Trend Micro says this is a typical buffer flow issue. Attackers could exploit the flaw through a overlay large ‘IF’ header in the ‘PROPFIND’ request with two or more http recourses. While there is no guarantee that the exploit will work, if it does an attack could cause a denial of service conditions.
“The PROPFIND method retrieves properties defined on the resource identified by the Request-URI. All the WebDAV-Compliant resources must support the PROPFIND method.”
Microsoft has yet to say anything about this vulnerability, and the company may not even issue a statement. We will wait and see.