Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

5/18/2009
02:52 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Zero-Day IIS Vuln Bypasses Authentication

Windows sysadmins responsible for servers running Microsoft Internet Information Services (IIS) received an unexpected surprise last Friday afternoon--or first thing this morning--in the form of a zero-day vulnerability. The vulnerability is reminiscent of the well-known IIS unicode path traversal issue from 2001, but instead of path traversal, this allows attackers to access and upload files on WebDAV-enabled IIS 6 servers. Nicolas Rangos (aka Kincope) released information about the vulnerabili

Windows sysadmins responsible for servers running Microsoft Internet Information Services (IIS) received an unexpected surprise last Friday afternoon--or first thing this morning--in the form of a zero-day vulnerability. The vulnerability is reminiscent of the well-known IIS unicode path traversal issue from 2001, but instead of path traversal, this allows attackers to access and upload files on WebDAV-enabled IIS 6 servers. Nicolas Rangos (aka Kincope) released information about the vulnerability to the Full Disclosure mailing list on Friday (PDF link).Just like clothing has a way of making a comeback, it seems as if vulnerabilities are having the same zombie-like nature of not wanting to stay dead. Last October, Microsoft Security Bulletin MS08-067 addressed a vulnerability in the Windows Server Service that was in the same netapi32.dll as MS06-040 and even replaces that same security bulletin. Sure, there was only a 2 year cycle between those vulnerabilities, but it's hard not to sit back and laugh if you've been in the security biz for 8, 10 or more years.

You're probably asking yourself what impact this vulnerability will have on your environment. The answer is going to depend on if you use WebDAV or not, and what IIS version you're running. If you don't have WebDAV enabled on your IIS server, then you're safe and can go back to sipping your coffee and reading your RSS feeds. If you're running IIS, WebDAV enabled and IIS is version 6.0, then you're vulnerable.

Now, other versions of IIS may be vulnerable, but there hasn't been enough research done yet on the issue. According to Thierry Zoller, who has a great write-up and visuals on the vulnerability, says that IIS5 and IIS7 are not vulnerable while the Secunia advisory says it has been confirmed on IIS 5.1 running on a fully patched Windows XP Service Pack 3 system. Yes...you read that right. It was tested on a Windows XP system, not really an "enterprise" server OS, but hey, it was confirmed vulnerable, so it might be vulnerable on Windows Server 2003.

The end result of all of this is that if you are vulnerable, an attacker could bypass authentication (basic, digest, NTLM, etc) and download and upload files to your server. The attacker needs to know some things about your server before exploiting it such as which directories are write-enabled in case he wants to upload files or where the files he wants to download exists. Or, the server needs to have directory browsing enabled to make it easy for the attacker to poke around without any prior knowledge.

I don't think this is going to become a widespread attack vector until someone fully realizes the impact it has on Microsoft Sharepoint and Outlook Web Access systems, and by then, it may be patched. Until then, it's probably going to fly under most people's radar and won't get patched until a regular Microsoft patch cycle. For now, I'll continue testing this in the lab to see what impact it will have on our environment. Additionally, there is a Metasploit auxiliary scanner module that was released late last night that might help with your testing. Happy hacking!!

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3493
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
CVE-2021-3492
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
CVE-2020-2509
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build 20210202 and later Q...
CVE-2020-36195
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...