(EXPLODINGCAN) Microsoft Windows Server 2003 IIS 6.0 WebDAV PROPFIND Request Handling RCE

EXPLODINGCAN is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.

  • The remote host is running Windows Server 2003 and Internet Information Services (IIS) 6.0 with WebDAV enabled.
  • It is, therefore,affected by a buffer overflow condition in the IIS WebDAV service due to improper handling of the ‘If’ header in a PROPFIND request.
  • An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause a denial of service condition or the execution of arbitrary code.
  • Solution : Windows Server 2003 and IIS 6.0 are no longer maintained or supported as per Microsoft advisory. Upgrade to a currently supported version of Microsoft Windows and IIS. Alternatively, disable either IIS or WebDAV.
  • Original exploit metasploit module shared by Zhiniang Peng and Chen Wu can be Found here
  • As per preventive steps , one should ensure if vulnerability exists with Nessus plugin Analysis and Plugin can be found here
  • Github repository can be found here.
%d bloggers like this: