Tuesday, May 19, 2009

IIS6 vulnerability exposes protected data

| Brett D. Arion |
Microsoft has issued an advisory to address public reports of a remote authentication bypass vulnerability that exists because of how the WebDAV extension for IIS (Internet Information Services) deals with HTTP requests. If exploited, an attacker would have access to password protected folders and the ability to list, download, and upload files into protected WebDAV folders.

Discovered and disclosed by Nikolaos Rangos, the vulnerability exists because the “…Web Server fails to properly handle unicode tokens when parsing the URI and sending back data,” he said in his report.

Affected are IIS 5.0, IIS 5.1, and IIS 6.0. However, in their posting on the SRD Blog, Microsoft said that some IIS configurations are not vulnerable. If a server isn’t running WebDAV then it is immune from this attack, such is the case with Server 2003, where IIS 6 shipped with WebDAV disabled by default. Likewise, if a server is not using IIS permissions, which restrict access to content, then it too is not vulnerable.

“We are still investigating different attack ideas possible using this vulnerability but the original report claimed files could be uploaded and modified. However, what we have found is that the IIS installer applies an NTFS access control entry to explicitly deny write access to the anonymous account (IUSR_[MachineName]) in wwwroot and subdirectories that inherit wwwroot’s ACL. So in the default case, this vulnerability will not allow a malicious attacker to upload or modify webpages,” the SRD blog says.

Microsoft says that they are unaware of any attacks using this vulnerability, but an advisory from CERT says that they have reports of active attacks using published code. Even if there are not active attacks at this time, the cat is out of the bag and the nature of slow patching that is prevalent within IT means this is just another vector to attack with.

Advisory 971492 explains some steps to take in order to mitigate any attack on systems running IIS. The main suggestions are to disable WebDAV and to alter ACLs to deny access to the anonymous user account, should WebDAV be required.

Christopher Budd, security response communications lead for Microsoft said in a statement that, “Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.”
In addition, he said they are working with everyone involved with MAPP, as well as the Security Response Alliance.

Free Security Magazines