On TechRepublic: Five super-secret features in Windows 7
BNET Business Network:
BNET
TechRepublic
ZDNet

May 19th, 2009

Microsoft confirms server vulnerability warning

Posted by Ryan Naraine @ 8:24 am

Categories: Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Exploit code, Locally Running Web Servers, Malware, Microsoft, Pen testing

Tags: Vulnerability, WebDAV, Server, Microsoft Corp., Microsoft IIS Server, Thierry Zoller, Security, Ryan Naraine

Microsoft has activated its security response process to deal with the release of a exploit code targeting an unpatched vulnerability affecting IIS 5.0 through 6.0.

The company released a formal pre-patch advisory to acknowledge the vulnerability and offer mitigation guidance for customers.

Microsoft is investigating new public reports of a possible vulnerability in Microsoft Internet Information Services (IIS). An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication.

We are not aware of attacks that are trying to use this vulnerability or of customer impact at this time. Microsoft is investigating the public reports.

Affected Software:

  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Services 5.1
  • Microsoft Internet Information Services 6.0

Microsoft’s advisory comes just days after a hacker known as “Kingcope” published details of the vulnerability (.PDF) on several mailing lists.

Thierry Zoller has been maintaining detailed notes on this issue:

  1. Webdav is not enabled by default on IIS6, IIS7 + Webdav is not affected
  2. IIS 5 and IIS 5.1 are also affected.
  3. Enabling Webdav applies to all websites and doesn’t have to be enabled per site.
  4. You can actually upload content to the web server, if the IUSR_anonymous has write access to webdav folders. (To any other folder if the account has write access to other folders)
  5. This seems to have a similar (root cause) then the 2001 Unicode IIS4/5 bug , but not exactly the same
  6. “Translate:f” is required for GET requests, PROPFIND works without the translate option.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 19 Talkback(s)
You can make things up, but expect to get called out...
There was no mention anywhere in the article that anything was mis-configured. Let's repeat that in case you weren't paying attention...your assertion that the story suggested that the server was mis... (Read the rest)
Posted by: jasonp@... Posted on: 05/21/09 You are currently: a Guest | | Terms of Use
yet another reason to use Vista  qmlscycrajg | 05/19/09
Did you even read the article...  xXSpeedzXx | 05/19/09
Not to mention  LiquidLearner | 05/19/09
Yes it does seem to be an after the fact idea.  Gillman_Zorgam | 05/20/09
RE: Microsoft confirms server vulnerability warning  Intellihence | 05/19/09
I doubt it was deleted  Stuka | 05/19/09
It could have been...  zkiwi | 05/19/09
Like what I posted below,,,  Intellihence | 05/19/09
 Intellihence | 05/19/09
Removed posts  whisperycat | 05/20/09
It's right here where it's always been:  ye | 05/19/09
Before that one to ye  Intellihence | 05/19/09
Gee, where are all the Redmond fanboys at?  UAC nanny screen | 05/20/09
Maybe Because...  GameOvR | 05/20/09
Oh there's one  UAC nanny screen | 05/20/09
Ball State University still floored by this Microsoft drop-off  whisperycat | 05/20/09
Yawn.  PMC-CON | 05/20/09
You can make things up, but expect to get called out...  jasonp@... | 05/21/09
It's not a vuln, it's an EXPLOIT  comp_indiana | 05/21/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Enterprise Applications

  • Check out some of the easiest and most powerful ways to boost productivity while saving money on your application infrastructure. See ZDNet's comprehensive Enterprise Application resource center, now!
  • New Online Dashboard
  • Read about top issues IT decision-makers face every day, plus get cost effective solutions to real life IT problems. Oracle Topline