Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

5/18/2009
02:52 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Zero-Day IIS Vuln Bypasses Authentication

Windows sysadmins responsible for servers running Microsoft Internet Information Services (IIS) received an unexpected surprise last Friday afternoon--or first thing this morning--in the form of a zero-day vulnerability. The vulnerability is reminiscent of the well-known IIS unicode path traversal issue from 2001, but instead of path traversal, this allows attackers to access and upload files on WebDAV-enabled IIS 6 servers. Nicolas Rangos (aka Kincope) released information about the vulnerabili

Windows sysadmins responsible for servers running Microsoft Internet Information Services (IIS) received an unexpected surprise last Friday afternoon--or first thing this morning--in the form of a zero-day vulnerability. The vulnerability is reminiscent of the well-known IIS unicode path traversal issue from 2001, but instead of path traversal, this allows attackers to access and upload files on WebDAV-enabled IIS 6 servers. Nicolas Rangos (aka Kincope) released information about the vulnerability to the Full Disclosure mailing list on Friday (PDF link).Just like clothing has a way of making a comeback, it seems as if vulnerabilities are having the same zombie-like nature of not wanting to stay dead. Last October, Microsoft Security Bulletin MS08-067 addressed a vulnerability in the Windows Server Service that was in the same netapi32.dll as MS06-040 and even replaces that same security bulletin. Sure, there was only a 2 year cycle between those vulnerabilities, but it's hard not to sit back and laugh if you've been in the security biz for 8, 10 or more years.

You're probably asking yourself what impact this vulnerability will have on your environment. The answer is going to depend on if you use WebDAV or not, and what IIS version you're running. If you don't have WebDAV enabled on your IIS server, then you're safe and can go back to sipping your coffee and reading your RSS feeds. If you're running IIS, WebDAV enabled and IIS is version 6.0, then you're vulnerable.

Now, other versions of IIS may be vulnerable, but there hasn't been enough research done yet on the issue. According to Thierry Zoller, who has a great write-up and visuals on the vulnerability, says that IIS5 and IIS7 are not vulnerable while the Secunia advisory says it has been confirmed on IIS 5.1 running on a fully patched Windows XP Service Pack 3 system. Yes...you read that right. It was tested on a Windows XP system, not really an "enterprise" server OS, but hey, it was confirmed vulnerable, so it might be vulnerable on Windows Server 2003.

The end result of all of this is that if you are vulnerable, an attacker could bypass authentication (basic, digest, NTLM, etc) and download and upload files to your server. The attacker needs to know some things about your server before exploiting it such as which directories are write-enabled in case he wants to upload files or where the files he wants to download exists. Or, the server needs to have directory browsing enabled to make it easy for the attacker to poke around without any prior knowledge.

I don't think this is going to become a widespread attack vector until someone fully realizes the impact it has on Microsoft Sharepoint and Outlook Web Access systems, and by then, it may be patched. Until then, it's probably going to fly under most people's radar and won't get patched until a regular Microsoft patch cycle. For now, I'll continue testing this in the lab to see what impact it will have on our environment. Additionally, there is a Metasploit auxiliary scanner module that was released late last night that might help with your testing. Happy hacking!!

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34390
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
CVE-2021-34391
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
CVE-2021-34392
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
CVE-2021-34393
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
CVE-2021-34394
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.