Home / Cyber Advisories

---

MS-ISAC ADVISORY NUMBER:
2009-026

DATE(S) ISSUED:
5/19/2009

SUBJECT:
Multiple Authentication Bypass Vulnerabilities in Microsoft IIS Web Servers Could Allow for Privilege Escalation

OVERVIEW:

Microsoft IIS is a web server that is implemented on Microsoft Windows servers. Multiple authentication bypass vulnerabilities have been discovered in Microsoft Internet Information Services (IIS) when using WebDAV which could allow for privilege escalation. WebDAV (Web Distributing Authoring Versioning) is an option in Microsoft IIS that allows users to upload, modify, and manage files located on a web server. Upon successful exploitation of these vulnerabilities, an attacker may be able to obtain, modify, or upload files without supplying credentials to the affected IIS server.

Currently, there is no patch for these vulnerabilities.

SYSTEMS AFFECTED:

• Microsoft IIS 5.0
• Microsoft IIS 5.1
• Microsoft IIS 6.0

RISK:

Government:

• Large and medium government entities: High
• Small government entities: High

Businesses:

• Large and medium business entities: High
• Small business entities: High

Home users: Low

DESCRIPTION:
Multiple authentication bypass vulnerabilities have been discovered in Microsoft Internet Information Services (IIS). IIS fails to verify credentials before accessing password protected files while using WebDAV. These vulnerabilities exist because the WebDAV extension does not properly decode the requested URL.

Note: WebDAV is not enabled by default on IIS 6.0.

An attacker could access password protected files by sending the IIS server a specially crafted HTTP GET request either containing the "/" or "\" character when it is Unicode-encoded (e.g. "%c0%af" or "%c1%9c") and includes the "Translate: f" header. Additionally, an attacker can view the directory listing of a password protected folder by sending a specially crafted PROPFIND request either containing the "/" or "\" character when it is Unicode-encoded (e.g. "%c0%af" or "%c1%9c"). Successful exploitation of these vulnerabilities could allow the attacker to obtain, modify, or upload files without supplying a password to the vulnerable IIS server. The extent of actions possible with successful exploitation will be determined by file system permissions imposed on the anonymous user account.

If WebDAV functionality is required, New Technology File System (NTFS) Access Control Lists (ACLs) should be used to control access to resources on the server. If it is necessary to access resources by an anonymous user through WebDAV, apply the appropriate read or write NTFS ACLs based on the desired access to those resources. Additional information regarding NTFS ACLs can be found in the following Microsoft articles:

http://support.microsoft.com/?id=271071
http://support.microsoft.com/kb/812614/

Currently, there is no patch for these vulnerabilities.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Disable WebDAV unless there is a business need to do otherwise.
• Follow Microsoft recommendations to mitigate WebDAV vulnerabilities on affected systems
• Apply appropriate NTFS ACLs to prohibit unauthorized access. See links above.
• Apply the appropriate patch provided by Microsoft to vulnerable systems as soon as it becomes available.

REFERENCES:

Security Focus:
http://www.securityfocus.com/bid/34993/

Microsoft:
http://www.microsoft.com/windowsserver2003/iis/default.mspx
http://www.microsoft.com/technet/security/advisory/971492.mspx
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/7b037954-441d-4037-a111-94df7880c319.mspx?mfr=truehttp://support.microsoft.com/default.aspx/kb/325864http://support.microsoft.com/kb/311350
http://support.microsoft.com/?id=271071
http://support.microsoft.com/kb/812614/

Secunia:
http://secunia.com/advisories/35109/

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1535

Copyright © 2010 - Privacy Policy - Contact Us