MS-ISAC ADVISORY NUMBER:
2008-006

DATE(S) ISSUED:
2/13/2008

SUBJECT:
Vulnerability in WebDAV Mini-Redirector Could Allow Remote Code Execution

OVERVIEW:

A new vulnerability has been discovered in Microsoft Windows Operating systems which could allow an attacker to take complete control of the affected system. The vulnerable component (WebDAV Mini-Redirector) is enabled by default on all Microsoft Windows Operating Systems except Windows Server 2003. This vulnerability can be exploited if a user visits a malicious web site which sends back a specially-formatted web response. Successful exploitation will result in an attacker gaining administrator-level privileges on a vulnerable computer; the attacker could then install programs, view, change, or delete data, or create new accounts with full privileges.

SYSTEMS AFFECTED:

  • Microsoft XP Service Pack 2
  • Microsoft XP Professional x64 and Service Pack 2
  • Microsoft Server 2003 Service Pack 1 and Service Pack 2
  • Microsoft Server 2003 x64 Service Pack 1 and Service Pack 2
  • Microsoft Server 2003 Service Pack 1 for Itanium-based Systems
  • Microsoft Server 2003 Service Pack 2 for Itanium-based Systems
  • Microsoft Windows Vista
  • Microsoft Windows Vista x64

RISK:
Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
A new vulnerability has been discovered in the Web Distributing Authoring Versioning (WebDAV) Mini-Redirector (Web Client service) for various Microsoft Windows operating systems. WebDAV is an extension to Hypertext Transfer Protocol (HTTP) that allows a user to copy, move, delete and create files in a distributed fashion. The WebDAV redirector allows editing such content through using Universal Naming Convention (UNC) shares.

This remote code execution vulnerability is caused as a result of a flaw in the way that WebDAV Mini-Redirector (Web Client service) handles malicious pathnames in WebDAV responses. This can be exploited if a malicious WebDAV server sends back a specially crafted WebDAV response, causing a heap overflow on the affected client.

Vulnerable systems must have the Web Client service enabled and running; note that this service is disabled by default on Windows Server 2003. Successful exploitation will result in an attacker gaining complete control of an affected host and give the attacker the ability to execute arbitrary code with administrator-level rights.

RECOMMENDATIONS:
We recommend that the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Consider disabling the Web Client service on affected computers, unless there is a documented business need, after appropriate testing.
  • Do not visit unknown or un-trusted Web sites or click on links provided in an email.

REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms08-007.mspx(External Link)

CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0080(External Link)

COSEINC:
 http://www.coseinc.com/coseinc_windows_advisory_3.pdfpdf

Secunia:
 http://secunia.com/advisories/28894/(External Link)



This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.