Buffer Overflow in Microsoft IIS 5.0

A serious vulnerability exists within the WebDAV component of Microsoft Internet Information Services (IIS) Web server. WebDAV stands for "Web-based Distrbuted Authoring and Versioning". WebDAV extensions are used by administrators to manage and edit Web content remotely. WebDAV is enabled by default on IIS 5.0 installations, and no authentication or special privileges are required for remote exploitation.

WebDAV is an extension to the HTTP 1.1 protocol designed to add distributed authoring and version control to Web content. The overflow vulnerability in a path conversion function within NtDLL, which is called from a common API exported from the Kernel32 library. However, the specific API in question is reachable through the WebDAV component of IIS 5.0.

Exploitation of this vulnerability will yield local SYSTEM privileges on vulnerable IIS servers. This can potentially lead to the disclosure of confidential information contained on compromised Web servers. This vulnerability could easily be used to compromise IIS servers in an automated fashion, or as part of a self-propagating worm.

Note : Microsoft Rating is "Critical"

It was proposed by recent study that the impact of this vulnerability is more far reaching, including Java-based Web servers and other non-WebDAV related issues in IIS. More information is yet to be disclosed. Please refer to link of NGSSoftware in "Related Links". (Updated March 24, 2003)

Microsoft found that Windows NT 4.0 also contains the underlying vulnerability in ntdll.dll, however it does not support WebDAV and therefore the known exploit was not effective against Windows NT 4.0. In addition, Microsoft has recently been made aware of this vulnerability as well in Windows XP. However, like Windows NT 4.0, Windows XP does not install Internet Information Services (IIS) by default. (Updated May 30, 2003)

Impact

Run Code of Attacker's Choice

• Microsoft Windows NT 4.0 (Updated May 30, 2003)
• Microsoft Windows NT 4.0 Terminal Server Edition (Updated May 30, 2003)
  
• Microsoft Windows 2000 with IIS 5.0 enabled
• Microsoft Windows XP (Updated May 30, 2003)
• Java-based Web servers (refer to link of NGSSoftware in "Related Links") (Updated March 24, 2003)
  

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

Download locations for this patch

Microsoft Windows NT 4.0: (Updated May 30, 2003)

• All except NEC and chinese - Hong Kong
• Japanese NEC
• Chinese - Hong Kong

Microsoft Windows NT4.0, Terminal Server Edition: (Updated May 30, 2003)

• All

Microsoft Windows 2000:

• All except Japanese NEC
• Japanese NEC

Microsoft Windows XP: (Updated May 30, 2003)

• 32-bit Edition
• 64-bit Edition

Installation platforms:

• This patch can be installed on systems running Windows 2000 Service Pack 2 or Service Pack 3.

Disable vulnerable service:

Until a patch can be applied, you may wish to disable IIS. To determine if IIS is running, Microsoft recommends the following:

Go to "Start | Settings | Control Panel | Administrative Tools | Services". If the ˇ§World Wide Web Publishingˇ¨ service is listed then IIS is installed

To disable IIS, run the IIS lockdown tool. This tool is available here:

http://www.microsoft.com/downloads/release.asp?ReleaseID=43955

If you cannot disable IIS, consider using the IIS lockdown tool to disable WebDAV (removing WebDAV can be specified when running the IIS lockdown tool). Alternatively, you can disable WebDAV by following the instructions located in Microsoft's Knowledgebase Article 241520, "How to Disable WebDAV for IIS 5.0":

http://support.microsoft.com/default.aspx?scid=kb;en-us;241520

Restrict buffer size:

If you cannot use either IIS lockdown tool or URLScan, consider restricting the size of the buffer IIS utilizes to process requests by using Microsoft's URL Buffer Size Registry Tool. This tool can be run against a local or remote Windows 2000 system running Windows 2000 Service Pack 2 or Service Pack 3. The tool, instructions on how to use it, and instructions on how to manually make changes to the registry are available here:

URL Buffer Size Registry Tool - http://go.microsoft.com/fwlink/?LinkId=14875
Microsoft Knowledge Base Article 816930 - http://support.microsoft.com/default.aspx?scid=kb;en-us;816930
Microsoft Knowledge Base Article 260694 - http://support.microsoft.com/default.aspx?scid=kb;en-us;260694

You may also wish to use URLScan, which will block web requests that attempt to exploit this vulnerability. Information about URLScan is available at:

http://support.microsoft.com/default.aspx?scid=kb;[LN];326444

Related Link

• http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp
• http://www.cert.org/advisories/CA-2003-09.html
• http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=22029
• http://isc.incidents.org/analysis.html?id=183
• http://www.network-box.com/?keywords=home:threat&id=nb-can-2003-0109
• http://www.nextgenss.com/papers/ms03-007-ntdll.pdf (Updated March 24, 2003)

Source

• Microsoft
• CERT/CC
• ISS
• NGSSoftware

Vulnerability identifier

• CAN-2003-0109

Back

Written on 18 March, 2003
Last updated on 30 May, 2003