CVE-2017-7269
Published: 27 March 2017
Summary
CVE-2017-7269 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Microsoft Internet Information Services. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2017-7269 is a buffer overflow vulnerability (CWE-120) in the ScStoragePathFromUrl function within the WebDAV service of Internet Information Services (IIS) 6.0, specifically affecting Microsoft Windows Server 2003 R2. The flaw is triggered by a specially crafted PROPFIND request containing a long "If: <http://" header, which can corrupt memory during path handling.
Remote attackers with network access can exploit the issue without authentication or user interaction to execute arbitrary code on the server, as reflected in its CVSS 3.1 base score of 9.8. The vulnerability was exploited in the wild as early as July or August 2016.
Public references document the issue through vulnerability databases and include proof-of-concept exploit code on GitHub, along with discussion of unofficial micropatch options for unsupported systems; no official vendor patch is referenced for the end-of-life platform.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-16299
Vulnerability details
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND…
more
request, as exploited in the wild in July or August 2016.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of incoming HTTP headers (e.g., the long "If:" header) before they reach ScStoragePathFromUrl, preventing the buffer overflow.
Enforces memory-protection mechanisms (ASLR, DEP, etc.) that block successful exploitation of the overflow even if input validation fails.
Requires disabling or restricting the WebDAV service (and PROPFIND method) when not explicitly needed, eliminating the vulnerable attack surface on the EOL IIS 6.0 host.