Eric Partington

CVE-2017-7269 - IIS 6.0 WebDAV - packet capture ?

Discussion created by Eric Partington Employee on Mar 29, 2017
Latest reply on Mar 29, 2017 by Guy Bruneau

I was recently asked about this vulnerability recently by a partner, seemed like something interesting that NetWitness (NW) Packet capture (if in the right place on your network) would be able to easily detect.

 

Exploit appears to be against a version of IIS (6.0) and is related to improper validation of an 'IF' header in a PROPFIND request (from TrendMicro link below).  I am not a vulnerability expert but figured that I could plug in the details of the exploit into the NW metavalues and see if we could come up with a drill to detect this CVE.

 

https://blog.trendmicro.com/trendlabs-security-intelligence/iis-6-0-vulnerability-leads-code-execution/

 

 

https://github.com/edwardz246003/IIS_exploit

 

Http requests and PROPFIND

service = 80 && action = 'PROPFIND'

 

If you have 10.6.2.x and have installed the additional hunting pack items then you should have access to the header values to go a step further

 

Http request with PROPFIND and IF header

service = 80 && action = 'PROPFIND' && http.request = 'If'

 

Depending on how you indexed the unqiue values of those header elements then you may also be able to run the following query from investigator

service=80 && action='propfind' && http.request='if' && res.uniq contains '<http://'

 

if those match your logic then you could convert those into application rules and then trigger your alerts off them (depending on where your capture is located you may want to add direction='inbound' to filter on just inbound attempts to your public facing web properties)

 

 

Anyone successful at locating this? i haven't been able to validate with any PCAP so these are best guesses for far for detection.

 

Outcomes