2110009 : Microsoft IIS WebDAV long request buffer overflow

High RiskHigh Risk

Quick Links

Event description Jump to the top of this document

WebDAV is vulnerable to a buffer overflow. An overflow in a path conversion function occurs within NtDLL, which is called from a common API exported from the Kernel32 library. However, the specific API in question is reachable through the WebDAV component.

Exploitation will yield local SYSTEM privileges on vulnerable IIS servers. This can potentially lead to the disclosure of confidential information contained on compromised Web servers.

Since the vulnerability is in an underlying library function and not within the IIS server, it is conceivable that other portions of the IIS server or completely unrelated services might also be affected.

Products that have this security check Jump to the top of this document

HTTP_WebDAV_Long_Rqst_BO

This signature looks for a WebDav method request with a URL length greater than pam.http.webdavmaxurl (default 19,000)


Affected platforms Jump to the top of this document

How to remove this vulnerability Jump to the top of this document

For vulnerability detection:

Enable the following checks in the ISS Protection Platform:
HttpWebdavLongRequest
MS03-007
Win2kMs03007Patch

For Virtual Patch:

Enable the following checks in the ISS Protection Platform:
HTTP_WebDAV_Long_Rqst_BO

Block or restrict the following in the ISS Protection Platform as appropriate to the environment:
Port 80

For Manual Protection:

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS03-007. See References.

For Windows 2000:
Microsoft originally provided a patch for this vulnerability in MS03-007, but it was superseded by the patch released with MS03-013, which was then superseded by the patch released with MS04-011. Microsoft is also reporting that MS03-007 was superseded by the patch released with MS04-032. Microsoft is reporting that MS03-013 was superseded by the patch released with MS04-044. See References.

For Windows NT:
Microsoft originally provided a patch for this vulnerability in MS03-013, but it was superseded by the patch released with MS04-011. Microsoft is also reporting that the patch released with MS03-013 has been superseded by the patch released with MS04-032. Microsoft is reporting that MS03-013 was superseded by the patch released with MS04-044. See References.

Workaround: IIS administrators may temporarily disable WebDAV support on IIS 5 servers if possible. Microsoft Knowledge Base Article 241520 describes the process in detail. See References.

For Windows XP:
Microsoft is reporting that the patch released with MS03-013 has been superseded by the patch released with MS04-032. Microsoft is reporting that MS03-013 was superseded by the patch released with MS04-044. Microsoft is also reporting that MS03-013 was superseded by the patch released with MS05-018. See References.

References Jump to the top of this document

Internet Security Systems Security Alert, March 17, 2003
Microsoft IIS WebDAV Remote Compromise Vulnerability
http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=22029

Microsoft Security Bulletin MS05-018
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service (890859)
http://www.microsoft.com/technet/security/bulletin/ms05-018.mspx

Microsoft Security Bulletin MS04-044
Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege (885835)
http://www.microsoft.com/technet/security/bulletin/ms04-044.mspx

Microsoft Security Bulletin MS04-032
Security Update for Microsoft Windows (840987)
http://www.microsoft.com/technet/security/bulletin/ms04-032.mspx

Microsoft Security Bulletin MS04-011
Security Update for Microsoft Windows (835732)
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Microsoft Security Bulletin MS03-013
Buffer Overrun in Windows Kernel Message Handling could Lead to Elevated Privileges (811493)
http://www.microsoft.com/technet/security/bulletin/ms03-013.mspx

BugTraq Mailing List, Sun Jun 01 2003 - 15:29:26 CDT
[Windows XP] ntdll.dll Buffer Overflow Vulnerability - Yet Another MS03-007
http://archives.neohapsis.com/archives/bugtraq/2003-06/0005.html

VulnWatch Mailing List, Fri Mar 21 2003 - 10:16:16 CST
New attack vectors and a vulnerability dissection of MS03-007
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0144.html

CIAC Information Bulletin N-054
Microsoft Unchecked Buffer in Windows Component Could Cause Web Server Compromise
http://www.ciac.org/ciac/bulletins/n-054.shtml

CERT Advisory CA-2003-09
Buffer Overflow in Microsoft IIS 5.0
http://www.cert.org/advisories/CA-2003-09.html

Microsoft Security Bulletin MS03-007
Unchecked buffer in Windows component could cause web server compromise (815021)
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx

Microsoft Knowledge Base Article 241520
How to Disable WebDAV for IIS 5.0
http://support.microsoft.com/default.aspx?scid=kb;[LN];241520

BugTraq
Microsoft Windows ntdll.dll Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/7116

Common Vulnerabilities and Exposures
Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS 5.0.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0109

Information about this document Jump to the top of this document

The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than Internet Security Systems. Use of this information constitutes acceptance for use in an "AS IS" condition, without warranties of any kind, and any use of this information is at the user's own risk. Internet Security Systems disclaims all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Internet Security Systems be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if Internet Security Systems has been advised of the possibility of such damages.

Copyright © 1997 – 2009 IBM Internet Security Systems. All rights reserved.

This page was created on Thu Jun 11 09:07:14 2009