ScStoragePathFromUrl overflows the stack on PROPFIND

CVE-2017-7269. A stack buffer overflow in the WebDAV service of Microsoft IIS 6.0 on Windows Server 2003 R2. NVD scores it CVSS v3 7.5. That number undersells it. The primitive is remote code execution in the worker process context, not denial of service. No authentication. No user interaction. A single crafted PROPFIND request reaches it. The affected surface is every IIS 6.0 instance with WebDAV enabled, and Windows Server 2003 left support in July 2015. There is no patch coming. The exposure is permanent for as long as the host stays online.

WebDAV is the enabling condition before the bug ever fires. It extends HTTP with methods for remote authoring - PROPFIND, PROPPATCH, MKCOL, LOCK. Legacy deployments enabled it for document publishing and never turned it off. PROPFIND retrieves properties on a resource and carries an If header used to express lock-token preconditions. That header holds a URL. The parser trusts it.

The bug lives in ScStoragePathFromUrl, a function in httpext.dll that resolves a storage path from a request URL. When WebDAV processes a PROPFIND whose If header contains two long Unicode strings, ScStoragePathFromUrl copies attacker-controlled bytes into a fixed-size stack buffer without validating length. Classic stack-based overflow. Unicode expansion inflates the input past the allocation. The copy runs over saved registers and over the return address. The attacker controls the overwrite.

The missing control is a length check before a wcscpy-class copy into a stack-resident buffer. WebDAV builds the storage path by concatenating the server-side root with the client-supplied resource path drawn from the If header lock token. The function assumes the combined path fits the destination. Supply a path long enough and the assumption fails silently. Given the predictable module layout, control of the saved instruction pointer is direct.

Windows Server 2003 is the reason this is trivial rather than hard. DEP and ASLR exist on the platform but apply inconsistently to this code path and to the modules loaded alongside w3wp.exe. Predictable module base addresses mean a return-address overwrite lands where the attacker expects. The public proof of concept - released by Zhiniang Peng and Chen Wu in March 2017 - demonstrated reliable code execution. A Metasploit module followed within days. The skill floor dropped to selecting a target, setting RHOST, and running a module. That is the low barrier the topic points at. Twenty-year-old web server software, a memory-unsafe string copy, reachable pre-auth over HTTP.

Execution lands inside w3wp.exe, the IIS worker process. On Server 2003 that process commonly runs as NETWORK SERVICE, or on misconfigured hosts as LOCAL SYSTEM. The first post-exploitation move is persistence and reach. A web shell written into wwwroot - China Chopper, an ASPX one-liner, or a staged reverse shell - converts a one-shot memory corruption into durable command execution. MITRE T1190, exploit public-facing application, into T1505.003, web shell, into T1059.003, Windows command shell. Token privileges decide what comes next. NETWORK SERVICE escalates through documented Server 2003 local privilege escalation. The OS is past end of support, so the local kernel is as unpatched as the web stack. A domain-joined legacy box becomes the pivot into the rest of the estate.

IIS hardened its process model in later versions. IIS 7.0 and onward default to ApplicationPoolIdentity, a virtual account scoped to one pool with minimal rights, and they isolate worker processes more aggressively. IIS 6.0 predates that model. A successful overflow on 2003 inherits whatever the pool runs as, and operators routinely set it to a high-privilege account to make a legacy application function. The privilege the exploit gains is the privilege the misconfiguration handed it.

The pattern is not specific to one CVE. ASP.NET ViewState deserialization produces the same outcome through configuration failure rather than a memory bug. The __VIEWSTATE field is deserialized server-side by ObjectStateFormatter. Integrity depends on the machineKey in web.config. If that key leaks - source disclosure, a path traversal reading web.config, a default or shared key copied across a server farm - an attacker forges a ViewState payload with a valid MAC. ysoserial.net generates the gadget chain. The server deserializes an attacker-controlled object graph and executes a gadget. RCE in w3wp again. Same context, same web shell, different root cause. CVE-2020-0688 is the named real-world case. Microsoft Exchange shipped a static validation key, identical across installs. CVSS v3 8.8. Multiple nation-state actors weaponised it against internet-facing Exchange before defenders rotated keys. The enabling condition was a secret that should never have been guessable becoming guessable.

The newer surface is HTTP.sys. CVE-2022-21907 - HTTP protocol stack remote code execution, CVSS v3 9.8, wormable - sits in the kernel-mode driver that fronts IIS. The trigger is malformed Trailer and Accept-Encoding handling in HTTP/2 request processing. CVE-2015-1635, MS15-034, was the earlier HTTP.sys integer overflow reached through a crafted Range header requesting a range up to 0xFFFFFFFFFFFFFFFF. Both are pre-auth. Both reach kernel context. Both stay exploitable on hosts that skipped the patch cycle. The barrier to entry is not the complexity of the server. It is whoever forgot the box existed.

CVE-2017-7269 was exploited in the wild before public disclosure and continued after. The PoC and the Metasploit module made it commodity. Internet-wide scans still return vulnerable IIS 6.0 hosts - government, manufacturing, healthcare, anything running a line-of-business application on a server nobody is allowed to reboot. Cryptominers, web shell campaigns, and initial-access brokers all use it. It is not an advanced capability. It is a scanner result and a module invocation. Shodan and mass HTTP scanners fingerprint IIS 6.0 from the Server response header. The version banner is the targeting data. An attacker filters for Microsoft-IIS/6.0, confirms WebDAV with an OPTIONS request reading the allowed methods, and queues the host. Reconnaissance stays passive and indistinguishable from background internet noise until the PROPFIND lands.

Telemetry is where defenders go blind. The overflow itself writes nothing useful to the IIS application log beyond a PROPFIND request, and IIS 6.0 W3C logging will not record the oversized If header. No crash event reaches the SOC. Detection has to come from behaviour after execution. The canonical signal is process lineage. w3wp.exe spawning cmd.exe, powershell.exe, or any shell is the fact that matters. Sysmon Event ID 1 and Windows Security Event 4688 capture that parent-child relationship. Sysmon Event ID 11 records a new .aspx file written into a web root. Sysmon Event ID 3 records w3wp.exe opening an outbound connection it has no reason to open.

China Chopper is the reference case for what the web shell stage produces. The client-server protocol is a short HTTP POST with the payload in the body, often a single line of ASPX that hands the request into an eval or a process call. The server response is terse. The on-disk footprint is a small script file, low entropy, easy to miss among legitimate pages. The behavioural tell is not the file. It is w3wp.exe executing commands and the burst of structurally identical POST requests to one endpoint.

The platform defeats the detection. Windows Server 2003 does not run a current Sysmon build. EDR agents either refuse the OS or run degraded. The host most likely to carry CVE-2017-7269 is the host least likely to emit usable endpoint telemetry. The detection that works on a 2022 server does not exist on the 2003 box. Network becomes the fallback. North-south egress from a web-server segment, PROPFIND with abnormal header length at the WAF or reverse proxy, and lateral SMB out of a DMZ host are the observable edges. The endpoint is dark.

Detection content that generalises across all of these chains: alert when w3wp.exe has any child process; treat web-server-initiated outbound connections as suspicious by default; monitor web root directories for newly created script files. None of these depend on knowing the specific CVE. They fire on the post-exploitation stage every one of these paths shares. A Sigma rule keyed on parent image w3wp.exe and a child image of a command interpreter catches the WebDAV chain, the ViewState chain, and the HTTP.sys chain with one expression.

The patch boundary on CVE-2017-7269 does not exist for the supported product. Server 2003 is dead. Microsoft issued out-of-band fixes for the HTTP.sys wormables on supported Windows, but the WebDAV overflow on 2003 has no vendor remedy. Residual exposure equals uptime. The controls that apply are disabling WebDAV, removing the host from any untrusted network path, and replatforming the application. The existence of the box implies none of that has happened.

The legal boundary is sharper than the technical one. Running these techniques against systems without authorisation is a criminal offence under Australia’s Criminal Code Act 1995 (Cth) Part 10.7, unauthorised access to a restricted computer, and under the US CFAA, 18 U.S.C. 1030. Operators of critical infrastructure carry reporting obligations under the SOCI Act, and a confirmed compromise of personal information triggers the Notifiable Data Breaches scheme under the Privacy Act. An active intrusion on a production IIS host is an incident-response event. It goes to the security team, and where thresholds apply, to the regulator. The fun in the title is doing time. The mechanism is a memory-unsafe string copy in a server that should have been decommissioned a decade ago.