Microsoft's Internet Information Services software has a privilege escalation vulnerability that US-CERT says is under attack by hackers. While users wait for a patch, here are ways to mitigate the vulnerability.
Exploit code for a vulnerability in Microsoft's Internet Information
Services software is circulating around the Web, leaving organizations in
search for ways to keep hackers at bay.
According
to
US-CERT,
attacks leveraging the vulnerability are already under way, though
Microsoft said in an advisory it was unaware
of any exploits. Still, US-CERT urged users waiting for a
patch to consider disabling WebDAV.
For
administrators unable to do so, US-CERT recommends reconfiguring the
software to block attacks.
"Administrators
who are unable to disable WebDAV may be able to mitigate some risk by
configuring their IDS to refuse external HTTP requests containing 'Translate: f'
headers," according to the US-CERT advisory.
The
problem lies in the way the WebDAV extension for IIS handles HTTP requests.
Armed with a specially crafted HTTP request to a Website that requires
authentication, a hacker can exploit the vulnerability to win unauthorized
access to protected resources.
"The
vulnerability occurs because the WebDAV extension does not properly decode the
requested URL," according to Microsoft. "This causes WebDAV to apply an
incorrect configuration when handling the request. If the applied configuration
allows anonymous access, a malicious request can bypass authentication.
"Note
that IIS would still process such a request in the security context of the
configured anonymous user account," the advisory continued. "Therefore, this
vulnerability cannot be used to bypass NTFS ACLs. The restrictions imposed on
the anonymous user account by file system ACLs will still be enforced."
Only
a specific configuration of IIS is at risk from the vulnerability, which may
serve as an additional mitigation for the threat. The vulnerability is only at
play if an IIS 5, 5.1 or 6.0 Web server is running with WebDAV enabled, the IIS
server is using IIS permissions to restrict a subfolder of content to
authenticated users, and file system access is granted for the restricted
content to the IUSR_[MachineName] account. In addition, a parent folder of the
private subfolder must allow anonymous access.
Also,
the Windows Server 2003 IIS (Version 6) shipped with WebDAV disabled by
default, Microsoft officials said.
Microsoft
did not say whether or not the company would issue an out-of-band patch for the
vulnerability. The next scheduled security release is June 9.
Email
Print
