Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.

The remote Windows host is missing a security update. It is, therefore, affected by one or more of the following vulnerabilities :

  - A remote code execution vulnerability exists in how the     Remote Desktop Protocol (RDP) handles requests if the     RDP server has Smart Card authentication enabled. An     authenticated, remote attacker can exploit this, via a     specially crafted application, to execute arbitrary code     with full user privileges. (CVE-2017-0176)

  - A remote code execution vulnerability exists in     Microsoft Internet Explorer due to improper handling of     objects in memory. An unauthenticated, remote attacker     can exploit this, by convincing a user to visit a     specially crafted website, to execute arbitrary code in     the context of the current user. (CVE-2017-0222)

  - An information disclosure vulnerability exists in the     Microsoft Server Message Block 1.0 (SMBv1) server when     handling certain requests. An unauthenticated, remote     attacker can exploit this, via a specially crafted     packet, to disclose sensitive information.
    (CVE-2017-0267)

  - A buffer overflow condition exists in the IIS WebDAV     service due to improper handling of the 'If' header in a     PROPFIND request. An unauthenticated, remote attacker     can exploit this, via a specially crafted request, to     cause a denial of service condition or the execution of     arbitrary code. This vulnerability, also known as     EXPLODINGCAN, is one of multiple Equation Group     vulnerabilities and exploits disclosed on 2017/04/14 by     a group known as the Shadow Brokers. (CVE-2017-7269)

  - A remote code execution vulnerability exists in how the     Remote Desktop Protocol (RDP) handles requests if the     RDP server has Routing and Remote Access enabled. An     authenticated, remote attacker can exploit this, via a     specially crafted application, to execute arbitrary code     with full user privileges. (CVE-2017-8461)

  - A remote code execution vulnerability exists in Windows     OLE, specifically in olecnv32.dll, due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit this, by convincing a user     to visit a specially crafted website or to open a     specially crafted file or email, to execute arbitrary     code in the context of the current user. (CVE-2017-8487)

  - A remote code execution vulnerability exists in the     Windows Search functionality due to improper handling of     objects in memory. An unauthenticated, remote attacker     can exploit this, via a specially crafted SMB message,     to execute arbitrary code. (CVE-2017-8543)

  - An information disclosure vulnerability exists in the     GDI component due to improper handling of objects in     memory. An unauthenticated, remote attacker can exploit     this, by convincing a user to open a specially crafted     document or visit a specially crafted website, to     disclose the contents of memory. (CVE-2017-8552)

The remote host is running Windows Server 2003 and Internet Information Services (IIS) 6.0 with WebDAV enabled. It is, therefore, affected by a buffer overflow condition in the IIS WebDAV service due to improper handling of the 'If' header in a PROPFIND request. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause a denial of service condition or the execution of arbitrary code.

EXPLODINGCAN is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.

The remote host is running Windows Server 2003 R2 and Internet Information Services (IIS) 6.0 with WebDAV enabled. It is, therefore, affected by a buffer overflow condition in the IIS WebDAV service due to improper handling of the 'If' header in a PROPFIND request. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause a denial of service condition or the execution of arbitrary code.

EXPLODINGCAN is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.

ID	Name	Product	Family	Severity
100791	Microsoft Security Advisory 4025685: Guidance for older platforms (XP / 2003) (EXPLODINGCAN)	Nessus	Windows : Microsoft Bulletins	critical
99523	Microsoft Windows Server 2003 IIS 6.0 WebDAV PROPFIND Request Handling RCE (EXPLODINGCAN)	Nessus	Web Servers	critical
99281	Microsoft Windows Server 2003 R2 IIS 6.0 WebDAV PROPFIND Request Handling RCE (EXPLODINGCAN)	Nessus	Web Servers	critical

Detections

Analytics

CVE-2017-7269

critical

Tenable Plugins

critical

critical

critical