copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Alert » AL-2003.02 -- Microsoft IIS WebDAV Remote Compromise...
 

AL-2003.02 -- Microsoft IIS WebDAV Remote Compromise Vulnerability
Date: 18 March 2003
References: ESB-2003.0175  ESB-2003.0182  ESB-2003.0313  ESB-2003.0579  ESB-2003.0590  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                        AL-2003.02 -- AUSCERT ALERT
           Microsoft IIS WebDAV Remote Compromise Vulnerability
                 Internet Security Systems Security Brief
                               18 March 2003
===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:                WebDAV
Vendor:                 Microsoft
Operating System:       Windows 2000
Impact:                 Administrator Compromise
                        Denial of Service
Access Required:        Remote

Due to the severity and current exploitation of this vulnerability,
AusCERT is releasing this information as an AusCERT Alert.

For additional information and appropriate patches, please reference
the Microsoft Security Bulletin MS03-007, available at:

  http://www.microsoft.com/technet/security/bulletin/ms03-007.asp

AusCERT will continue to monitor this vulnerability and any exploit
activity. AusCERT members will be updated as information becomes
available.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Brief
March 17, 2003

Microsoft IIS WebDAV Remote Compromise Vulnerability

Synopsis:

A serious vulnerability exists within the WebDAV component of Microsoft
Internet Information Services (IIS) Web server. WebDAV stands for "Web-based
Distrbuted Authoring and Versioning". WebDAV extensions are used by
administrators to manage and edit Web content remotely. WebDAV is enabled by
default on IIS 5 installations, and no authentication or special privileges
are required for remote exploitation.

Impact:

It is possible for remote attackers to run arbitrary code on vulnerable Web
servers. This vulnerability is currently being exploited in the wild, and
X-Force has verified the existence of a functional exploit tool. This
vulnerability is in itself very serious, but the existence of robust exploits
in the wild dictates that fixes or temporary workarounds should be applied
immediately.

Although it is possible to disable WebDAV, doing so requires manually
creating a specific registry key. The IIS Lockdown Tool from Microsoft may
or may not turn off WebDAV, depending on the server template selected at
installation time. 

Affected Versions:

IIS 5.0 on Windows 2000 up to and including Service Pack 3

Note: IIS installations on Windows XP, Windows Server 2003 are not affected.

For the complete ISS X-Force Security Advisory, please visit: 
http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=22029

______ 


About Internet Security Systems (ISS) 
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a 
pioneer and world leader in software and services that protect critical 
online resources from an ever-changing spectrum of threats and misuse. 
Internet Security Systems is headquartered in Atlanta, GA, with 
additional operations throughout the Americas, Asia, Australia, Europe 
and the Middle East. 

Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved 
worldwide. 

Permission is hereby granted for the electronic redistribution of this 
document. It is not to be edited or altered in any way without the 
express written consent of the Internet Security Systems X-Force. If you 
wish to reprint the whole or any part of this document in any other 
medium excluding electronic media, please email xforce@iss.net for 
permission. 

Disclaimer: The information within this paper may change without notice. 
Use of this information constitutes acceptance for use in an AS IS 
condition. There are NO warranties, implied or otherwise, with regard to 
this information or its use. Any use of this information is at the 
user's risk. In no event shall the author/distributor (Internet Security 
Systems X-Force) be held liable for any damages whatsoever arising out 
of or in connection with the use or spread of this information. 
X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, 
as well as at http://www.iss.net/security_center/sensitive.php 
Please send suggestions, updates, and comments to: X-Force 
xforce@iss.net of Internet Security Systems, Inc. 




- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBPnYPtTRfJiV99eG9AQGapQP+LNyH2y4dRLJBMJ+AVK5x01ZjuojVj50o
zkb+APAJqBadrnrV8PwRXwzC4G1P4CjqHLPnN0xUQbKnGCWgpC9aaM31k5jH2cyP
LYmIR4QPe9MprXPDKaYYtrFk5qdnxlaM2SsB+Hbq+C0bn3AOEUZVlQB0jQ8/WdU2
KGaqiXvws0o=
=6bDY
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

This alert is provided as a service to AusCERT's members.  As AusCERT did
not write the document quoted above, AusCERT has had no control over its   
content.  The decision to use any or all of this information is the
responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the alert.  It may not be
updated when updates to the original are made.  If downloading at a later
date, it is recommended that the alert is retrieved directly from the
author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the alert above.  If you have any questions or need further information,
please contact them directly.

Previous advisories, alerts and external security bulletins can be 
retrieved from:

        http://www.auscert.org.au/render.html?cid=1977

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
                hours which are GMT+10:00 (AEST).  On call after hours
                for member emergencies only.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBPnanfih9+71yA2DNAQFuqwP8DTFoQy2TrbxqkH2IkKlUPe3r+7ZSNtLW
3kZN/XSJXZnt6UxagstXsvgR11Ox8CV6xbjLEdRPcC9xDtjxiDmg4HZUOH7SE08l
U38NOs7S4CLZ0vA/OC45/7FgnOc/AV4b2pOx+ic5RYu4mFRkZInQBeFabWrQTVx0
haT4ebA9mn0=
=yDKJ
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1977&it=2858