'ExplodingCan' NSA exploit menaces thousands of servers

Researchers have documented another exploit linked to the NSA that is being used by attackers to target Microsoft Windows 2003 servers running the Internet Information Services version 6.0 web server.

It follows in the footsteps of the WannaCry ransomware worm, which was similarly leaked by the Shadow Brokers hacking group and attributed to an orgranisation linked to the NSA.

Code-named ExplodingCan, the exploit uses a known flaw in IIS 6.0 servers that have the WebDAV (distributed authoring and versioning) extension enabled for remote content creation and management, British security company Secarma said.

ExplodingCan sends a long request to the WebDAV PROPFIND function triggering a buffer overlow, which in turn can be used for remote code execution and to obtain command shell on the target Windows 2003 machine.

The flaw could also be used to plant ransomware in a similar fashion to the WannaCry worm, which exploited a bug in Microsoft's Server Message Block version 1 file sharing protocol on systems that exposed it to the internet.

“Ultimately this is in the same risk category as the WannaCry attacks. It's another way for cybercriminals and hacking teams to access your environment and, once they’re in, the internal parts of these systems are wide open to a variety of different attack vectors," Paul Harris, Secarma managing director said.

The exploit is publicly available in the ExploitDB and Metasploit databases and has been used in the wild in a limited fashion, Harris said.

Microsoft has declared Windows Server 2003 out of support and won't issue security patches for the operating system.

Not as widespread as SMBv1 flaw used by WannaCry

The British security vendor said that while it had found over 375,000 IIS 6.0 servers around the world that could be vulnerable, the exact number is hard to ascertain.

Harris said Secarma was unable to test how many of the systems had WebDAV enabled and which were vulnerable to ExplodingCan without falling foul of Britain's computer security laws.

Instead, the company shared its findings with the UK's National Cyber Security Centre, and advised users and organisations to migrate away from Windows Server 2003.

Secarma has also released a free tool for users to check for ExplodingCan.

A scan by iTnews using the Shodan.io site indicated that the number of servers vulnerable to ExplodingCan around the world is just over 42,000.

While substantial it is well below the more than 200,000 machines that could be exploited by WannaCry when the infection started last month.

In Australia, Shodan.io found 1012 systems vulnerable to ExplodingCan.

Over 300 are found on hosting company WebCentral, with customers on telco provider Mid North Coast Internet having 85 vulnerable systems, TPG 77, and Telstra 52.