Follow:

Exploit:Win/IISUnicode.WebDav.PE!CVE-2009-1535

Severity rating
Moderate

Class/Type
Exploit

Discovered date
2009-05-18T00:00:00

Attack vector
Remote

Authentication required
No

Public exploits available
Yes

Signature detection
Medium



On this page




Description

This Vulnerability allows remote attackers to bypass access restrictions on vulnerable installations of internet infromation server 6.0. The specific flaw exists within the WebDav functionality of IIS 6.0. The Web Server fails to properly handle unicode tokens when parsing the URI and sending back data. Exploitation of the issue can lead to authentication bypass and listing, downloading and uploading of files into a password protected WebDAV folder.



Impact

An attacker could exploit the vulnerability by creating a specially crafted HTTP request to a Web site that requires authentication, and thereby gain unauthorized access to protected resources.



Technical details (analysis)

The vulnerability occurs because the WebDAV extension does not properly decode the requested URL. This causes WebDAV to apply an incorrect configuration when handling the request. If the applied configuration allows anonymous access, a malicious request can bypass authentication. Note that IIS would still process such a request in the security context of the configured anonymous user account. Therefore, this vulnerability cannot be used to bypass NTFS ACLs. The restrictions imposed on the anonymous user account by file system ACLs will still be enforced



Affected software

Microsoft Internet Information Services 5.0
Microsoft Internet Information Services 5.1
Microsoft Internet Information Services 6.0



Non-affected software

Microsoft Internet Information Services 7.0



References




Solutions




NIS signature

Name: Exploit:Win/IISUnicode.WebDav.PE!CVE-2009-1535
Release Date: 2009-05-18T00:00:00



Known false positives

No known false positives at this time



Work-arounds

Disable WebDav by using IIS Lockdown Tool 2.1.
Change the file system ACLs to deny access to the anonymous user account.
Microsoft UrlScan Filter v3.1 can be used to disable WebDav.