Microsoft Internet Information Services (IIS) WebDAV security bypass (HTTP_IIS_WebDAV_Security_Bypass)

About this signature or vulnerability

Proventia Desktop, Proventia Network IPS, RealSecure Network, RealSecure Server Sensor, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This signature fires when an HTTP request containing unicode encoded characters and a WebDAV header header are sent to an IIS5 or IIS6 server.


Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

Proventia Desktop: 2400, Proventia Network IPS: XPU 29.060, RealSecure Network: XPU 29.060, RealSecure Server Sensor: XPU 29.060, Proventia Network MFS: XPU 29.060, Proventia-G 1.1 and earlier: XPU 29.060, Proventia Network IDS: XPU 29.060, IBM Security Server Protection for Windows: 1.0.914.2400, IBM Security Server Protection for Windows: 2.0.300.2400, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Server IPS for Linux technology: 29.060, Virtual Server Protection for Vmware: 1.0

Systems affected

Microsoft IIS: 6.0, Microsoft Windows 2000: SP4, Microsoft Windows XP: SP2 Professional, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Internet Information Server: 5.0, Microsoft Internet Information Server: 5.1, Microsoft Windows XP: SP3 Professional

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft Internet Information Services (IIS) could allow a remote attacker to bypass security restrictions, caused by the improper handling of WebDAV requests for directories requiring authentication. By sending a specially-crafted HTTP request to a WebDAV-enabled IIS server, a remote attacker could exploit this vulnerability to bypass security restrictions and download protected files.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS09-020. See References.

References

milw0rm.com [2009-05-15]
Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Vulnerability
http://milw0rm.com/exploits/8704

Microsoft IIS Web site
The Official Microsoft IIS Site
http://www.iis.net/

Microsoft Security Advisory (971492)
Vulnerability in Internet Information Services Could Allow Elevation of Privilege
http://www.microsoft.com/technet/security/advisory/971492.mspx

milw0rm.com [2009-05-22]
Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (php)
http://milw0rm.com/exploits/8765

milw0rm.com [2009-05-21]
Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (patch)
http://milw0rm.com/exploits/8754

milw0rm.com [2009-05-26]
Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (pl)
http://milw0rm.com/exploits/8806

Microsoft Security Bulletin MS09-020
Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)
http://www.microsoft.com/technet/security/bulletin/ms09-020.mspx

ISS X-Force
Microsoft Internet Information Services (IIS) WebDAV security bypass
http://www.iss.net/security_center/static/50573.php

CVE
CVE-2009-1535
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1535