Serious new flaw found in IIS 6.0

A new remotely-exploitable vulnerability has been found in the Microsoft IIS 6.0 Web server. The flaw is quite similar to one that was discovered eight years ago in earlier versions of IIS, and exploitation of the weakness could enable an attacker to upload content to the vulnerable server.

The vulnerability is in the implementation of the WebDAV protocol in IIS 6.0, which allows remote users to access and modify documents on a Web server. News of the vulnerability, discovered by a researcher named Nikolaos Rangos, hit the Full Disclosure security mailing list last week. Here are the details, from Rangos’s advisory:

This vulnerability allows remote attackers to bypass access restrictions on vulnerable installations of Internet Information Server 6.0. The specific flaw exists within the WebDAV functionality of IIS 6.0. The Web Server fails to properly handle unicode tokens when parsing the URI and sending back data. Exploitation of this issue can
result in the following:
– Authentication bypass of password protected folders
– Listing, downloading and uploading of files into a password protected WebDAV folder

There is no patch available for this vulnerability, so experts at the SANS Internet Storm Center are recommending that people disable WebDAV in the interim. Thierry Zoller has a good analysis of the IIS 6.0 vulnerability as well.

Microsoft’s Security Response Center is investigating the WebDAV vulnerability and is in the process of putting together an advisory on it.

“Microsoft is investigating new public claims of a possible vulnerability in Internet Information Services. We’re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact. We are working on a security advisory to provide customers with guidance to help protect themselves,” said Christopher Budd, security response communications lead at Microsoft.