Number of internet facing vulnerable IIS 6.0 to CVE-2017–7269


Microsoft Windows Server 2003 R2 with WebDAV and PROPFIND enabled is vulnerable to remote code execution. Metasploit module should be out soon.

At first this sounds scary. Even though 2003 R2 is EOL, Shodan shows more than 600k internet facing servers running IIS 6.0, most of them in MS Server 2003.

However, in order for the specific vulnerability to be exploited, it seems like the PROPFIND header needs to be enabled.

I run a little experiment and together with my kindergarten maths I calculated that approximately out of the 600.000 servers that run IIS 6.0, only 10% (~60.000) of them are potentially vulnerable. Thats ~1% of the world’s webservers.

How was this calculated:

I used Shodan to get a list of 10.000 IPs running IIS 6.0. After that, a simple python script that fires a curl request with the PROPFIND header.

The vast majority of them respond with “501 Not Implemented”, “403 Forbidden”, or “400 Bad Request”. I’m assuming all of the above indicate that the vulnerability is not present.

However, a good 10% of them replied with “HTTP/1.1 411 Length Required” indicating that they are vulnerable.

The above is a very rough calculation. WebDAV could be enabled per directory or per virtual host in which case they wouldn’t be caught, so the total number might be bigger. Hat tip to @rbmaslen for this.

Its interesting to see if Microsoft is going to make an exception and issue a hotfix for this.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store