CERT-In Vulnerability Note CIVN-2009-63
Microsoft IIS 6.0 WebDAV Authentication bypass vulnerability

Original Issue Date:May 19, 2009
Updated:June 11, 2009

Severity Rating: High

Affected Softwares

• Microsoft Internet Information Services 6.0
• Microsoft Internet Information Services 5.1
• Microsoft Internet Information Services 5.0

Systems Affected

• Microsoft Windows 2000 Service Pack 4
• Windows XP Professional Service Pack 2
• Windows XP Professional Service Pack 3
• Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP2 for Itanium-based Systems
  

Overview

Authentication bypass vulnerability has been reported in Microsoft IIS that could allow a remote attacker to gain unauthorized access to protected WebDAV resources.

Description

Web Distributed Authoring and Versioning (WebDAV) is an extension to the Hypertext Transfer Protocol (HTTP) that defines how basic file functions such as copy, move, delete and create are performed by a computer using HTTP.

1. IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability     (CVE-2009-1535)

Authentication bypass vulnerability in Microsoft Internet Information Service (IIS) could allow remote attackers to bypass access restriction. This vulnerability is caused due to improper handling of user supplied Unicode tokens while parsing the Uniform Resource Identifier ( URI ) and sending back data. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted HTTP GET requests containing special Unicode characters to the web server for authentication bypass and get access to password protected folders on vulnerable installations of IIS Server 6.0.

2. IIS 5.0 WebDAV Authentication Bypass Vulnerability
    (CVE-2009-1122)

An elevation of privilege vulnerability exists in Microsoft Internet Information Service (IIS 5.0). This vulnerability is caused due to improper handling of HTTP requests. A remote attacker could exploit this vulnerability by passing specially crafted anonymous HTTP request to the web server to bypass authentication and to get access to the authentication protected locations.


Workarounds

• Install and Configure URL Scan Security Tool for all incoming requests to the web server to filter maliciously crafted HTTP GET request or URI containing improper Unicode tokens.
  http://www.microsoft.com/technet/security/tools/urlscan.mspx
• Install and configure IIS Lockdown Tool to reduce the attack surface by turning off unnecessary features.
  http://www.microsoft.com/technet/security/tools/locktool.mspx
• Change file system ACLs to deny access to the anonymous user account
  Microsoft Knowledge Base Article 271071
  Microsoft Knowledge Base Article 812614
• Disable WebDAV functionality if not required on the web server.

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS09-020

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS09-020.mspx
http://www.microsoft.com/technet/security/advisory/971492.mspx

References

SecurityFocus
http://www.securityfocus.com/bid/34993

VUPEN Security
http://www.vupen.com/english/advisories/2009/1330

AusCERT
http://www.auscert.org.au/render.html?it=11001

Milw0rm
http://milw0rm.com/sploits/2009-IIS-Advisory.pdf

CERT-In
http://www.cert-in.org.in/knowledgebase/guidelines/
cisg-2006-01.htm

CVE Name
CVE-2009-1535
CVE-2009-1122

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003