Merge pull request #1451 from geeknik/patch-85

Update CVE-2017-7269.yaml
2021-05-09 22:51:51 +05:30 · 2021-05-09 22:51:51 +05:30 · f34934565f
parent 02646ac79d 1913076aef
commit f34934565f
1 changed files with 11 additions and 5 deletions
--- a/cves/2017/CVE-2017-7269.yaml
+++ b/cves/2017/CVE-2017-7269.yaml
@ -1,25 +1,31 @@
 id: CVE-2017-7269

 info:
-  name: CVE-2017-7269
-  author: thomas_from_offensity
+  name: Windows Server 2003 & IIS 6.0 RCE
+  author: thomas_from_offensity & @geeknik
  severity: critical
-  description: RCE - Buffer overflow in ScStoragePathFromUrl function (WebDAV service - IIS 6.0) - Windows Server 2003 R2
-  reference: https://github.com/danigargu/explodingcan/blob/master/explodingcan.py
+  description: Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If <http://" in a PROPFIND request.
+  reference:
+    - https://blog.0patch.com/2017/03/0patching-immortal-cve-2017-7269.html
+    - https://github.com/danigargu/explodingcan/blob/master/explodingcan.py
+  tags: cve,cve2017,rce

 requests:
  - method: OPTIONS
    path:
      - "{{BaseURL}}"
+
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
+
      - type: word
        words:
          - "IIS/6.0"
        part: header
+
      - type: dsl
        dsl:
          - regex("<DAV:sql>", dasl)    # lowercase header name: DASL
@ -27,4 +33,4 @@ requests:
          - regex(".*?PROPFIND", public)    # lowercase header name: Public
          - regex(".*?PROPFIND", allow)    # lowercase header name: Allow
        condition: or
-        part: header
+        part: header