Threat Hunting

(EXPLODINGCAN) Microsoft Windows Server 2003 IIS 6.0 WebDAV PROPFIND Request Handling RCE

Apr 22, 2017

EXPLODINGCAN is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.

  • The remote host is running Windows Server 2003 and Internet Information Services (IIS) 6.0 with WebDAV enabled.
  • It is, therefore,affected by a buffer overflow condition in the IIS WebDAV service due to improper handling of the ‘If’ header in a PROPFIND request.
  • An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause a denial of service condition or the execution of arbitrary code.
  • Solution : Windows Server 2003 and IIS 6.0 are no longer maintained or supported as per Microsoft advisory. Upgrade to a currently supported version of Microsoft Windows and IIS. Alternatively, disable either IIS or WebDAV.
  • Original exploit metasploit module shared by Zhiniang Peng and Chen Wu can be Found here
  • As per preventive steps , one should ensure if vulnerability exists with Nessus plugin Analysis and Plugin can be found here
  • Github repository can be found here.

Related Post

Threat Hunting

APT Group Trend – July 2023

Sep 16, 2023 C0r0k0
Collective Intelligence Threat Hunting Zero Day Attack Surfaces

Threat Hunting and Testing for CVE-2020-0601 – PoC – Windows CryptoAPI Spoofing Vulnerability

Jan 16, 2020 C0r0k0
Threat Hunting

CALDERA – Automated Adversary Emulation System

Mar 23, 2018 C0r0k0

Comments are closed.

You missed

Ransomware

Lockbit Ransomware – Recent Updates 2024

March 1, 2024 C0r0k0
Collective Intelligence

Two-Factor Authentication (2FA) in 2024: Level Up Your Banking Security

February 14, 2024 C0r0k0
Collective Intelligence

Deepfakes and Disinformation: A Future Concern in 2024

January 18, 2024 C0r0k0
Collective Intelligence

List of Best GPTs for Cybersecurity

January 16, 2024 C0r0k0