Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-137: Microsoft IIS 6.0 WebDAV Remote Authentication Bypass

May 18, 2009 14:00 GMT
PROBLEM: Microsoft Internet Information Service (IIS) is prone to multiple authentication-bypass vulnerabilities through improperly enforced access restrictions.
PLATFORM: Microsoft IIS 6.0 Microsoft Windows Server 2003 Datacenter Edition Microsoft Windows Server 2003 Datacenter Edition Itanium 0 Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Enterprise Edition Itanium 0 Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 Web Edition
ABSTRACT: Microsoft Internet Information Service (IIS) is prone to multiple authentication-bypass vulnerabilities because the application fails to properly enforce access restrictions on certain requests to password-protected WebDAV folders.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-137.shtml
  OTHER LINKS: Milw0rm Website
http://milw0rm.com/sploits/2009-IIS-Advisory.pdf
Microsoft Website
http://www.microsoft.com/windowsserver2003/iis/default.mspx
Security Focus Website
http://downloads.securityfocus.com/vulnerabilities/exploits/34993.txt
IMPACT ASSESSMENT The risk is high. An attacker can exploit these issues to gain unauthorized access to protected WebDAV resources, which may lead to other attacks. 

Microsoft IIS Unicode Requests to WebDAV Multiple Authentication Bypass Vulnerabilities

Class: 	Access Validation Error
Credit: 	Nikolaos Rangos (Kingcope)

Microsoft Internet Information Service (IIS) is prone to multiple authentication-bypass vulnerabilities because the
application fails to properly enforce access restrictions on certain requests to password-protected WebDAV folders.

An attacker can exploit these issues to gain unauthorized access to protected WebDAV resources, which may lead to other
attacks.

Microsoft IIS 6.0 is vulnerable; other versions may also be affected. 

Attackers may exploit these issues via a browser.

Currently we are not aware of any vendor-supplied patches.
DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788