Number of internet facing vulnerable IIS 6.0 to CVE-2017–7269

Context: https://github.com/edwardz246003/IIS_exploit

Microsoft Windows Server 2003 R2 with WebDAV and PROPFIND enabled is vulnerable to remote code execution. Metasploit module should be out soon.

At first this sounds scary. Even though 2003 R2 is EOL, Shodan shows more than 600k internet facing servers running IIS 6.0, most of them in MS Server 2003.

However, in order for the specific vulnerability to be exploited, it seems like the PROPFIND header needs to be enabled.

I run a little experiment and together with my kindergarten maths I calculated that approximately out of the 600.000 servers that run IIS 6.0, only 10% (~60.000) of them are potentially vulnerable. Thats ~1% of the world’s webservers.

How was this calculated:

I used Shodan to get a list of 10.000 IPs running IIS 6.0. After that, a simple python script that fires a curl request with the PROPFIND header.

The vast majority of them respond with “501 Not Implemented”, “403 Forbidden”, or “400 Bad Request”. I’m assuming all of the above indicate that the vulnerability is not present.

However, a good 10% of them replied with “HTTP/1.1 411 Length Required” indicating that they are vulnerable.

The above is a very rough calculation. WebDAV could be enabled per directory or per virtual host in which case they wouldn’t be caught, so the total number might be bigger. Hat tip to @rbmaslen for this.

Its interesting to see if Microsoft is going to make an exception and issue a hotfix for this.