Skip Links

Network World

Julie Bort

Microsoft investigates security hole in IIS

By Microsoft Subnet on Tue, 05/19/09 - 11:27am.

Microsoft late yesterday issued a security advisory (971492) about a publicly reported vulnerability in IIS versions 5, 5.1 and 6.0 that could allow an attacker to elevate privileges. The vulnerability is an IIS authentication bypass but it currently requires a narrow configuration, the company says. Microsoft is currently investigating the vulnerability to see if other configurations could be successfully targeted.

The hole can currently only work if your web server meets all of the following criteria:

  • IF an IIS 5, 5.1, or 6.0 webserver is running with WebDAV enabled;
  • AND the IIS server is using IIS permissions to restrict a subfolder of content to authenticated users;
  • AND file system access is granted for the restricted content to the IUSR_[MachineName] account;
  • AND a parent folder of the private subfolder allows anonymous access;
    THEN an anonymous remote user may be able to leverage this vulnerability to access files that normally would only be served to authenticated webserver users.

Microsoft says it has not seen exploits of the vulnerability in the wild. It has not issued a patch, but has spelled out a number of workarounds, most of which involve modifying one or more of the configuration settings in the above list.

 

Visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)

May Patch Tuesday: One critical patch for PowerPoint
Windows 7 and WS2008 R2 ship date: holiday '09
CIOs seem to love VMware over Hyper-V
Using offshore certified Microsoft partners? Beware of security holes
Meet me in … a Meeting Workspace: Tips and Best Practices
Microsoft OpsMgr R2 release candidate available, will ship end of June
12 killer freebie SharePoint add-ons
Cloud computing is cheaper, greener but not yet enterprise ready
.Net Services: Microsoft's key to cloud security and Java interoperability

Follow Microsoft Subnet on Twitter

Attacker might only be able to read files, not write them

0
By Microsoft Subnet on Tue, 05/19/2009 - 11:21am.

According to an e-mail sent to Microsoft Subnet from Eric Schultze, CTO, Shavlik Technologies, St. Paul, MN, the flaw is less serious for IIS6 because WebDAV is disabled by default.

"In a default configuration (and I would gather most installations), this flaw might allow the attacker to read certain files on the webserver, but would not allow them to write any files. If the attacker us unable to write any files to the webserver, it's far less likely that the attacker can upload or execute any malicious code on the server or gain additional levels of access to the server. One note of caution - this flaw could enable attackers to read code pages on the webserver, where these pages might include usernames or passwords for applications or databases controlled by the webserver.

"I recommend people running IIS5 or IIS6 run the IIS Lockdown and URLScan tools from Microsoft. Both of these tools disable WebDAV and will protect your system from this latest zero day."

See Microsoft Subnet for more Microsoft-related news, blogs, security alerts.

Great summary of the conditions but....

0
By Casey Robertson (not verified) on Tue, 05/19/2009 - 12:43pm.

We are trying to determine a way to assess all of the vulnerability conditions in our environment and it's next to impossible. Getting the IIS versions is easy enough using SCCM but figuring out whether WebDAV is enabled without going machine by machine is problematic. Any help in that direction (Microsoft!) would be great.

Microsoft Subnet asked for

0
By Microsoft Subnet on Tue, 05/19/2009 - 5:12pm.

Microsoft Subnet asked for some help on detecting WebDAV from Eric Schultze, CTO, Shavlik Technologies. He offered this web page that has a bunch of useful info for detecting webdav: http://www.klcconsulting.net/articles/webdav/webdav_vuln.htm#How%20to%20detect

He also recommends the tool from Steve Shockley here: http://www.ntbugtraq.com/download/scanWebDavexe.zip (source code is available)

See Microsoft Subnet for more Microsoft-related news, blogs, security alerts.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You can use BBCode tags in the text.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <p> <strong> <i> <br /> <br> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Welcome, visitor. Register Log in
About Microsoft Subnet Blog

The Microsoft Subnet blog is the official blog of the Network World's Microsoft Subnet community, and is written by Online Community editor Julie Bort. Microsoft Subnet is the independent voice of Microsoft customers and is your gateway to daily Microsoft news, blogs, opinion, books, prize giveaways and more. Visit the Microsoft Subnet index page daily, and while you are there, subscribe to the Microsoft newsletter. The newsletter includes news generated by the Microsoft Subnet community as well as other Microsoft news stories published by Network World.

(OS community)
RSS feed (Microsoft RSS feed)

Blog Roll
Microsoft Subnet Home Page
http://www.networkworld.com/subnets/microsoft/
All Microsoft Subnet bloggers
http://www.networkworld.com/community/blogs/microsoft/feed
ActiveWin
http://www.activewin.com
Blake Handler The Road to Know Where
http://bhandler.spaces.live.com/
Dmitry's PowerBlog
http://dmitrysotnikov.wordpress.com/
Doug Brown,DABCC
http://www.dabcc.com
Ed Bott's Windows Expertise
http://www.edbott.com/weblog/
Joseph Tartakoff Microsoft Blog
http://blog.seattlepi.nwsource.com/microsoft/
Long Zheng istartedsomething
http://www.istartedsomething.com/
Mini-Microsoft
http://minimsft.blogspot.com/
Paul Thurrott's Supersite for Windows
http://www.winsupersite.com
Robert McLaws WindowsNow
http://www.windows-now.com
Scobleizer
http://scobleizer.com/
Techmeme
http://www.techmeme.com/
Todd Bishop's Microsoft Blog
http://www.techflash.com/Microsoft