ISS X-Force Database: http-webdav-long-request(11533): Microsoft IIS WebDAV long request buffer overflow

Microsoft IIS WebDAV long request buffer overflow

http-webdav-long-request (11533)

High Risk

Description:

WebDAV is vulnerable to a buffer overflow. An overflow in a path conversion function occurs within NtDLL, which is called from a common API exported from the Kernel32 library. However, the specific API in question is reachable through the WebDAV component.

Exploitation will yield local SYSTEM privileges on vulnerable IIS servers. This can potentially lead to the disclosure of confidential information contained on compromised Web servers.

Since the vulnerability is in an underlying library function and not within the IIS server, it is conceivable that other portions of the IIS server or completely unrelated services might also be affected.

Platforms Affected:

Microsoft, IIS 5.0
Microsoft, Windows 2000 SP1
Microsoft, Windows 2000 SP3
Microsoft, Windows 2000 SP2

Remedy:

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
HttpWebdavLongRequest
MS03-007
Win2kMs03007Patch

For Virtual Patch:

Enable the following checks in the ISS Protection Platform:
HTTP_WebDAV_Long_Rqst_BO

Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 80

For Manual Protection:

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS03-007. See References.

For Windows 2000:
Microsoft originally provided a patch for this vulnerability in MS03-007, but it was superseded by the patch released with MS03-013, which was then superseded by the patch released with MS04-011. Microsoft is also reporting that MS03-007 was superseded by the patch released with MS04-032. Microsoft is reporting that MS03-013 was superseded by the patch released with MS04-044. See References.

For Windows NT:
Microsoft originally provided a patch for this vulnerability in MS03-013, but it was superseded by the patch released with MS04-011. Microsoft is also reporting that the patch released with MS03-013 has been superseded by the patch released with MS04-032. Microsoft is reporting that MS03-013 was superseded by the patch released with MS04-044. See References.

Workaround: IIS administrators may temporarily disable WebDAV support on IIS 5 servers if possible. Microsoft Knowledge Base Article 241520 describes the process in detail. See References.

For Windows XP:
Microsoft is reporting that the patch released with MS03-013 has been superseded by the patch released with MS04-032. Microsoft is reporting that MS03-013 was superseded by the patch released with MS04-044. Microsoft is also reporting that MS03-013 was superseded by the patch released with MS05-018. See References.

Consequences:

Gain Access

References:

BugTraq Mailing List, Sun Jun 01 2003 - 15:29:26 CDT, [Windows XP] ntdll.dll Buffer Overflow Vulnerability - Yet Another MS03-007 at http://archives.neohapsis.com/archives/bugtraq/2003-06/0005.html.
CERT Advisory CA-2003-09, Buffer Overflow in Microsoft IIS 5.0 at http://www.cert.org/advisories/CA-2003-09.html.
CIAC Information Bulletin N-054, Microsoft Unchecked Buffer in Windows Component Could Cause Web Server Compromise at http://www.ciac.org/ciac/bulletins/n-054.shtml.
Internet Security Systems Security Alert, March 17, 2003, Microsoft IIS WebDAV Remote Compromise Vulnerability at http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=22029.
Microsoft Knowledge Base Article 241520, How to Disable WebDAV for IIS 5.0 at http://support.microsoft.com/default.aspx?scid=kb;[LN];241520.
Microsoft Security Bulletin MS03-007, Unchecked buffer in Windows component could cause web server compromise (815021) at http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx.
Microsoft Security Bulletin MS03-013, Buffer Overrun in Windows Kernel Message Handling could Lead to Elevated Privileges (811493) at http://www.microsoft.com/technet/security/bulletin/ms03-013.mspx.
Microsoft Security Bulletin MS04-011, Security Update for Microsoft Windows (835732) at http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx.
Microsoft Security Bulletin MS04-032, Security Update for Microsoft Windows (840987) at http://www.microsoft.com/technet/security/bulletin/ms04-032.mspx.
Microsoft Security Bulletin MS04-044, Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege (885835) at http://www.microsoft.com/technet/security/bulletin/ms04-044.mspx.
Microsoft Security Bulletin MS05-018, Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service (890859) at http://www.microsoft.com/technet/security/bulletin/ms05-018.mspx.
VulnWatch Mailing List, Fri Mar 21 2003 - 10:16:16 CST, New attack vectors and a vulnerability dissection of MS03-007 at http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0144.html.
BID-7116: Microsoft Windows ntdll.dll Buffer Overflow Vulnerability
CVE-2003-0109: Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS 5.0.
SA8314: Microsoft Internet Information Services WebDAV Buffer Overflow
US-CERT VU#117394: Buffer Overflow in Core Microsoft Windows DLL

Reported:

Mar 17, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page