Main Menu

Microsoft IIS 6.0 WebDAV Authentication Bypass Vulnerability

Written by Editor on May 19, 2009

A few days agi Nicolaos Rangos (Kingcope) released details of a vulnerability advisory for an issue within Microsoft Internet Information Server (IIS). The issue affects IIS 6.0 when handling Unicode characters in request URIs.

Specifically an attacker could use a specially crafted request to bypass authentication on password protected resources using WebDAV.  These requests would contain Unicode encoded '/' characters (%c0%af). It is reported that this issue is not just limited to WebDAV folders but other password protected folders too.

The issue could be exploited to bypass any authentication on a protected resource on a server running IIS without providing any authentication credentials. However, in the case of a WebDAV folder it would also be possible to list, download, modify and upload arbitary files to the server. Alas the attack is very easy to carry out and there is a high probability that the attack will be used in the wild as there are a significant number of IIS 6.0 hosts out there and many will have WebDAV and/or Password protected resources available.

There are example requests freely available and there is a Metasploit Auxiliary module available that can be used to exploit the issue. There is some good news however, the issue does not affeect IIS 7.0 and normally by default IIS 6.0 does not have the webDAV module enabled. Also the vulnerability does not bypass file-system ACLs, therefore any attacker would only have access to files and directories that the Anonymous user account used by IIS has access to. This vulnerability is however unpatched, it is however acknowledged by Microsoft in security advisory 971492.

There are some possible mitigation measures that can be employed:

  • If possble, filter incoming HTTP requests for the Unicode character sequence of '%c0%af'
  • Block incoming access to webservers from all but trusted users if possible
  • If WebDAV is not required explicitly disable it until a patch is available
  • Modify file system permissions to restrict further access by the Anonymous account
  • Finally, is possible upgrade to IIS 7.0

You can find the full details of the vulnerability here and here, you can also find out more here. The last link has a good explanation of the vulnerability and its relation to the IIS Unicode vulnerability MS01-026 from 2001.