Microsoft IIS WebDAV Remote Authentication Bypass

Overview

A vulnerability exists in the way Microsoft Internet Information Server (IIS) handles unicode tokens that may allow authentication bypass.

Description

Web-based Distributed Authoring and Versioning (WebDAV) is a set of HTTP extensions that allow collaborative management and editing of files collected on remote servers. The way that Microsoft IIS’s implementation of WebDAV handles unicode tokens may allow authentication bypass. According to Nikolaos Rangos:

The specific flaw exists within the WebDAV functionality of IIS 6.0. The Web Server fails to properly handle unicode tokens when parsing the URI and sending back data.

According to Thierry Zoller:
The bug discovered by Rangos seems to suffer from a similar logic mistake when requesting source (translate:f) that has been introduced in the Webdav component. It appears that unicode characters are removed after the security checks.

Note that this issue affects IIS versions prior to 7.0

---

Impact

A remote attacker may be able to bypass the access restrictions and list, download, upload and modify protected files.

---

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds:

---

Disable WebDAV
Disabling WebDAV prevents this vulnerability from being exploited and reduces attack surface. WebDAV functionality is disabled by default in IIS version 6.0 on systems that have not had services that utilize WebDAV installed.

Please note that disabling WebDAV may affect the functionality of other applications such as SharePoint.

Filter external HTTP requests
Administrators who are unable to disable WebDAV may be able to mitigate some risk by configuring their IDS to refuse external HTTP requests containing “Translate: f” HTTP headers.

Please see Microsoft Security Advisory 971492 for further mitigation information.

---

Vendor Information

787932

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Updated: May 19, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Microsoft Security Advisory 971492 has been released to address this issue.

Vendor References

• <http://www.microsoft.com/technet/security/advisory/971492.mspx&gt;

CVSS Metrics

Group	Score	Vector
Base	0	AV:–/AC:–/Au:–/C:–/I:–/A:–
Temporal	0	E:Not Defined (ND)/RL:Not Defined (ND)/RC:Not Defined (ND)
Environmental	0	CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND)

References

• <http://seclists.org/fulldisclosure/2009/May/0134.html&gt;
• <http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html&gt;
• <http://milw0rm.com/exploits/8704&gt;
• <http://www.microsoft.com/technet/security/advisory/971492.mspx&gt;

Acknowledgements

This vulnerability was publicly disclosed by Nikolaos Rangos.

This document was written by Chris Taschner.

Other Information

CVE IDs:	CVE-2009-1535
Date Public:	2009-03-12 Date First Published: