ISS X-Force Database: http-webdav-long-request(11533): Microsoft IIS WebDAV long request buffer overflow

Microsoft IIS WebDAV long request buffer overflow

http-webdav-long-request (11533)

High Risk

Description:

WebDAV is vulnerable to a buffer overflow. An overflow in a path conversion function occurs within NtDLL, which is called from a common API exported from the Kernel32 library. However, the specific API in question is reachable through the WebDAV component.

Exploitation will yield local SYSTEM privileges on vulnerable IIS servers. This can potentially lead to the disclosure of confidential information contained on compromised Web servers.

Since the vulnerability is in an underlying library function and not within the IIS server, it is conceivable that other portions of the IIS server or completely unrelated services might also be affected.

*CVSS:

Base Score:	10
Access Vector:	Remote
Access Complexity:	Low
Authentication:	Not Required
Confidentiality Impact:	Complete
Integrity Impact:	Complete
Availability Impact:	Complete

Temporal Score:	7.4
Exploitability:	Unproven
Remediation Level:	Official-Fix
Report Confidence:	Confirmed

Consequences:

Gain Access

Remedy:

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
HttpWebdavLongRequest
MS03-007
Win2kMs03007Patch

For Virtual Patch:

Enable the following checks in the ISS Protection Platform:
HTTP_WebDAV_Long_Rqst_BO

Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 80

For Manual Protection:

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS03-007. See References.

For Windows 2000:
Microsoft originally provided a patch for this vulnerability in MS03-007, but it was superseded by the patch released with MS03-013, which was then superseded by the patch released with MS04-011. Microsoft is also reporting that MS03-007 was superseded by the patch released with MS04-032. Microsoft is reporting that MS03-013 was superseded by the patch released with MS04-044. See References.

For Windows NT:
Microsoft originally provided a patch for this vulnerability in MS03-013, but it was superseded by the patch released with MS04-011. Microsoft is also reporting that the patch released with MS03-013 has been superseded by the patch released with MS04-032. Microsoft is reporting that MS03-013 was superseded by the patch released with MS04-044. See References.

Workaround: IIS administrators may temporarily disable WebDAV support on IIS 5 servers if possible. Microsoft Knowledge Base Article 241520 describes the process in detail. See References.

For Windows XP:
Microsoft is reporting that the patch released with MS03-013 has been superseded by the patch released with MS04-032. Microsoft is reporting that MS03-013 was superseded by the patch released with MS04-044. Microsoft is also reporting that MS03-013 was superseded by the patch released with MS05-018. See References.

References:

BugTraq Mailing List, Sun Jun 01 2003 - 15:29:26 CDT: [Windows XP] ntdll.dll Buffer Overflow Vulnerability - Yet Another MS03-007.
CERT Advisory CA-2003-09: Buffer Overflow in Microsoft IIS 5.0.
CIAC Information Bulletin N-054: Microsoft Unchecked Buffer in Windows Component Could Cause Web Server Compromise.
Internet Security Systems Security Alert, March 17, 2003: Microsoft IIS WebDAV Remote Compromise Vulnerability.
Microsoft Knowledge Base Article 241520: How to Disable WebDAV for IIS 5.0.
Microsoft Security Bulletin MS03-007: Unchecked buffer in Windows component could cause web server compromise (815021).
Microsoft Security Bulletin MS03-013: Buffer Overrun in Windows Kernel Message Handling could Lead to Elevated Privileges (811493).
Microsoft Security Bulletin MS04-011: Security Update for Microsoft Windows (835732).
Microsoft Security Bulletin MS04-032: Security Update for Microsoft Windows (840987).
Microsoft Security Bulletin MS04-044: Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege (885835).
Microsoft Security Bulletin MS05-018: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service (890859).
VulnWatch Mailing List, Fri Mar 21 2003 - 10:16:16 CST: New attack vectors and a vulnerability dissection of MS03-007.
BID-7116: Microsoft Windows ntdll.dll Buffer Overflow Vulnerability
CVE-2003-0109: Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS 5.0.
SA8314: Microsoft Internet Information Services WebDAV Buffer Overflow
US-CERT VU#117394: Buffer Overflow in Core Microsoft Windows DLL

Platforms Affected:

Microsoft Internet Information Server 5.0
Microsoft Windows 2000 SP1
Microsoft Windows 2000 SP3
Microsoft Windows 2000 SP2

Reported:

Mar 17, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page

* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About IBM Internet Security Systems

IBM Internet Security Systems is a trusted security advisor to thousands of the world's leading businesses and governments, helping to provide pre-emptive protection for networks, desktops and servers. The IBM Proventia? integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shield customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force? research and development team ? an unequivocal world authority in vulnerability and threat research. The IBM Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the IBM Internet Security Systems Web site at www.iss.net or call 800-776-2362.