Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

5/18/2009
02:52 PM
John H. Sawyer
John H. Sawyer
Commentary
50%
50%

Zero-Day IIS Vuln Bypasses Authentication

Windows sysadmins responsible for servers running Microsoft Internet Information Services (IIS) received an unexpected surprise last Friday afternoon--or first thing this morning--in the form of a zero-day vulnerability. The vulnerability is reminiscent of the well-known IIS unicode path traversal issue from 2001, but instead of path traversal, this allows attackers to access and upload files on WebDAV-enabled IIS 6 servers. Nicolas Rangos (aka Kincope) released information about the vulnerabili

Windows sysadmins responsible for servers running Microsoft Internet Information Services (IIS) received an unexpected surprise last Friday afternoon--or first thing this morning--in the form of a zero-day vulnerability. The vulnerability is reminiscent of the well-known IIS unicode path traversal issue from 2001, but instead of path traversal, this allows attackers to access and upload files on WebDAV-enabled IIS 6 servers. Nicolas Rangos (aka Kincope) released information about the vulnerability to the Full Disclosure mailing list on Friday (PDF link).Just like clothing has a way of making a comeback, it seems as if vulnerabilities are having the same zombie-like nature of not wanting to stay dead. Last October, Microsoft Security Bulletin MS08-067 addressed a vulnerability in the Windows Server Service that was in the same netapi32.dll as MS06-040 and even replaces that same security bulletin. Sure, there was only a 2 year cycle between those vulnerabilities, but it's hard not to sit back and laugh if you've been in the security biz for 8, 10 or more years.

You're probably asking yourself what impact this vulnerability will have on your environment. The answer is going to depend on if you use WebDAV or not, and what IIS version you're running. If you don't have WebDAV enabled on your IIS server, then you're safe and can go back to sipping your coffee and reading your RSS feeds. If you're running IIS, WebDAV enabled and IIS is version 6.0, then you're vulnerable.

Now, other versions of IIS may be vulnerable, but there hasn't been enough research done yet on the issue. According to Thierry Zoller, who has a great write-up and visuals on the vulnerability, says that IIS5 and IIS7 are not vulnerable while the Secunia advisory says it has been confirmed on IIS 5.1 running on a fully patched Windows XP Service Pack 3 system. Yes...you read that right. It was tested on a Windows XP system, not really an "enterprise" server OS, but hey, it was confirmed vulnerable, so it might be vulnerable on Windows Server 2003.

The end result of all of this is that if you are vulnerable, an attacker could bypass authentication (basic, digest, NTLM, etc) and download and upload files to your server. The attacker needs to know some things about your server before exploiting it such as which directories are write-enabled in case he wants to upload files or where the files he wants to download exists. Or, the server needs to have directory browsing enabled to make it easy for the attacker to poke around without any prior knowledge.

I don't think this is going to become a widespread attack vector until someone fully realizes the impact it has on Microsoft Sharepoint and Outlook Web Access systems, and by then, it may be patched. Until then, it's probably going to fly under most people's radar and won't get patched until a regular Microsoft patch cycle. For now, I'll continue testing this in the lab to see what impact it will have on our environment. Additionally, there is a Metasploit auxiliary scanner module that was released late last night that might help with your testing. Happy hacking!!

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16632
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
CVE-2021-32073
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.