Zero-Day IIS Vuln Bypasses Authentication

Windows sysadmins responsible for servers running Microsoft Internet Information Services (IIS) received an unexpected surprise last Friday afternoon--or first thing this morning--in the form of a zero-day vulnerability. The vulnerability is reminiscent of the well-known IIS unicode path traversal issue from 2001, but instead of path traversal, this allows attackers to access and upload files on WebDAV-enabled IIS 6 servers. Nicolas Rangos (aka Kincope) released information about the vulnerability to the Full Disclosure mailing list on Friday (PDF link).Just like clothing has a way of making a comeback, it seems as if vulnerabilities are having the same zombie-like nature of not wanting to stay dead. Last October, Microsoft Security Bulletin MS08-067 addressed a vulnerability in the Windows Server Service that was in the same netapi32.dll as MS06-040 and even replaces that same security bulletin. Sure, there was only a 2 year cycle between those vulnerabilities, but it's hard not to sit back and laugh if you've been in the security biz for 8, 10 or more years.

You're probably asking yourself what impact this vulnerability will have on your environment. The answer is going to depend on if you use WebDAV or not, and what IIS version you're running. If you don't have WebDAV enabled on your IIS server, then you're safe and can go back to sipping your coffee and reading your RSS feeds. If you're running IIS, WebDAV enabled and IIS is version 6.0, then you're vulnerable.

Now, other versions of IIS may be vulnerable, but there hasn't been enough research done yet on the issue. According to Thierry Zoller, who has a great write-up and visuals on the vulnerability, says that IIS5 and IIS7 are not vulnerable while the Secunia advisory says it has been confirmed on IIS 5.1 running on a fully patched Windows XP Service Pack 3 system. Yes...you read that right. It was tested on a Windows XP system, not really an "enterprise" server OS, but hey, it was confirmed vulnerable, so it might be vulnerable on Windows Server 2003.

The end result of all of this is that if you are vulnerable, an attacker could bypass authentication (basic, digest, NTLM, etc) and download and upload files to your server. The attacker needs to know some things about your server before exploiting it such as which directories are write-enabled in case he wants to upload files or where the files he wants to download exists. Or, the server needs to have directory browsing enabled to make it easy for the attacker to poke around without any prior knowledge.

I don't think this is going to become a widespread attack vector until someone fully realizes the impact it has on Microsoft Sharepoint and Outlook Web Access systems, and by then, it may be patched. Until then, it's probably going to fly under most people's radar and won't get patched until a regular Microsoft patch cycle. For now, I'll continue testing this in the lab to see what impact it will have on our environment. Additionally, there is a Metasploit auxiliary scanner module that was released late last night that might help with your testing. Happy hacking!!

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.