Microsoft is investigating new public reports of a possible vulnerability in Microsoft Internet Information Services (IIS). An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication.

Here is what such an attack looks like (from http://milw0rm.com/exploits/8704)

The attacker sends a HTTP GET request to the web server.

GET / %c0%af/protected/protected.zip HTTP/1.1

Translate: f

Connection: close

Host: servername

As seen above the URI contains the unicode character ‘/’ (%c0%af). This unicode character is

removed in a WebDAV request. „Translate: f” instructs the web server to handle the request using

WebDAV. Using this malicious URI construct the webserver sends the file located at

„/protected/protected.zip” back to the attacker without asking for proper authentication.

Mitigating Factors:

File system ACLs are enforced. This vulnerability bypasses the IIS configuration that specifies which authentication is allowed, but not the file system-based ACL check that verifies whether a file is accessible by a given user. A successful exploit of the vulnerability would still restrict the attacker to the permissions granted to the anonymous user account on file system ACL level. Therefore this vulnerability cannot be used to exceed the level of access granted to the anonymous user account through file system ACLs. The default anonymous user account is configured as the IUSR_ account.

The anonymous user account is denied write access by default. In order to successfully exploit this vulnerability with write access, the anonymous user account would need to have write access ACLs set within the IIS folder structure. However, by default, the anonymous user account only has read access ACLs set. On IIS 6.0, there is an explicit deny ACE for the default anonymous user account. Unless overridden by the administrator, this deny ACE will be inherited by all children under the default Web site root.

WebDAV is not enabled by default on IIS 6.0. On Windows Server 2003 systems running IIS 6.0, WebDAV is not enabled in the default configuration. Unless WebDAV has been enabled by an administrator on these systems, the vulnerability is not exposed.

Affected Software

Microsoft Internet Information Services 5.0

Microsoft Internet Information Services 5.1

Microsoft Internet Information Services 6.0

See also here: http://www.microsoft.com/technet/security/advisory/971492.mspx