7.6 - VU#787932

Executive Summary

Summary
Title	Microsoft IIS WebDAV Remote Authentication Bypass

Informations
Name	VU#787932	First vendor Publication	2009-05-19
Vendor	VU-CERT	Last vendor Modification	2009-05-20
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:H/Au:N/C:C/I:C/A:C)
Cvss Base Score	7.6	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	High
Cvss Expoit Score	4.9	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#787932

Microsoft IIS WebDAV Remote Authentication Bypass

Overview

A vulnerability exists in the way Microsoft Internet Information Server (IIS) handles unicode tokens that may allow authentication bypass.

I. Description

Web-based Distributed Authoring and Versioning (WebDAV) is a set of HTTP extensions that allow collaborative management and editing of files collected on remote servers. The way that Microsoft IIS's implementation of WebDAV handles unicode tokens may allow authentication bypass. According to Nikolaos Rangos:

The specific flaw exists within the WebDAV functionality of IIS 6.0. The Web Server fails to properly handle unicode tokens when parsing the URI and sending back data.

According to Thierry Zoller:
The bug discovered by Rangos seems to suffer from a similar logic mistake when requesting source (translate:f) that has been introduced in the Webdav component. It appears that unicode characters are removed after the security checks.

Note that this issue affects IIS versions prior to 7.0

II. Impact

A remote attacker may be able to bypass the access restrictions and list, download, upload and modify protected files.

III. Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds:

Disable WebDAV
Disabling WebDAV prevents this vulnerability from being exploited and reduces attack surface. WebDAV functionality is disabled by default in IIS version 6.0 on systems that have not had services that utilize WebDAV installed.

Please note that disabling WebDAV may affect the functionality of other applications such as SharePoint.

Filter external HTTP requests
Administrators who are unable to disable WebDAV may be able to mitigate some risk by configuring their IDS to refuse external HTTP requests containing "Translate: f" HTTP headers.

Please see Microsoft Security Advisory 971492 for further mitigation information.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Microsoft Corporation	Vulnerable		2009-05-19

References

http://seclists.org/fulldisclosure/2009/May/0134.html
http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html
http://milw0rm.com/exploits/8704
http://www.microsoft.com/technet/security/advisory/971492.mspx

Credit

This vulnerability was publicly disclosed by Nikolaos Rangos.

This document was written by Chris Taschner.

Other Information

Date Public:	2009-03-12
Date First Published:	2009-05-19
Date Last Updated:	2009-05-20
CERT Advisory:
CVE-ID(s):	CVE-2009-1535
NVD-ID(s):	CVE-2009-1535
US-CERT Technical Alerts:
Metric:	0.00
Document Revision:	17

Original Source

Url : http://www.kb.cert.org/vuls/id/787932

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-287	Improper Authentication

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:6029

Oval ID:	oval:org.mitre.oval:def:6029
Title:	IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability
Description:	The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2009-1535	Version:	1
Platform(s):	Microsoft Windows XP Microsoft Windows Server 2003	Product(s):	Microsoft Internet Information Server 5.1 Microsoft Internet Information Server 6.0
Definition Synopsis:
IF Microsoft Windows XP (x86) SP2 is installed AND Microsoft IIS 5.1 is installed AND the version of httpext.dll is less than 6.0.2600.3574 OR Microsoft Windows XP (x86) SP3 is installed AND Microsoft IIS 5.1 is installed AND the version of httpext.dll is less than 6.0.2600.5817 OR IF Microsoft Windows XP x64 Edition SP2 is installed AND Microsoft Windows Server 2003 SP2 (x86) is installed AND Microsoft Windows Server 2003 SP2 (x64) is installed AND Microsoft Windows Server 2003 (ia64) SP2 is installed AND Microsoft IIS 6.0 is installed AND the version of httpext.dll is less than 6.0.3790.4518

CPE : Common Platform Enumeration

Type	Description	Count
Application	Microsoft Internet Information Services cpe:2.3:a:microsoft:internet_information_services:6.0:::::::* cpe:2.3:a:microsoft:internet_information_services:5.1:::::::*	2

OpenVAS Exploits

Date	Description
2009-06-10	Name : Microsoft IIS Security Bypass Vulnerability (970483) File : nvt/secpod_ms09-020.nasl
2009-05-20	Name : Microsoft IIS WebDAV Remote Authentication Bypass Vulnerability File : nvt/secpod_ms_iis_webdav_auth_bypass_vuln.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
54555	Microsoft IIS WebDAV Unicode URI Request Authentication Bypass

Snort® IPS/IDS

Date	Description
2019-01-15	(http_inspect)unicodemapcodepointencodinginURI RuleID : 7 - Revision : 2 - Type :
2014-01-10	WebDAV Request Directory Security Bypass attempt RuleID : 17564 - Revision : 7 - Type : SERVER-IIS

Nessus® Vulnerability Scanner

Date	Description
2009-06-10	Name : It is possible to bypass authentication on the remote web server. File : smb_nt_ms09-020.nasl - Type : ACT_GATHER_INFO
2009-05-18	Name : It is possible to access protected resources through WebDAV. File : webdav_iis6_flaw.nasl - Type : ACT_ATTACK

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	1
CPE ID(s)	2
osvdb(s)	1
Openvas Exploit(s)	2
Snort® Rule(s)	2
Nessus® Exploit(s)	2

	Related
7.6	KB971492
7.5	CVE-2009-1535
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 2 more Alert(s)