Exploit code for a vulnerability in Microsoft’s Internet Information Services software is circulating around the Web, leaving organizations in search for ways to keep hackers at bay.
According to US-CERT, attacks leveraging the vulnerability are already under way, though Microsoft said in an advisory it was unaware of any exploits. Still, US-CERT urged users waiting for a patch to consider disabling WebDAV.
For administrators unable to do so, US-CERT recommends reconfiguring the software to block attacks.
“Administrators who are unable to disable WebDAV may be able to mitigate some risk by configuring their IDS to refuse external HTTP requests containing ‘Translate: f’ headers,” according to the US-CERT advisory.
The problem lies in the way the WebDAV extension for IIS handles HTTP requests. Armed with a specially crafted HTTP request to a Website that requires authentication, a hacker can exploit the vulnerability to win unauthorized access to protected resources.
“The vulnerability occurs because the WebDAV extension does not properly decode the requested URL,” according to Microsoft. “This causes WebDAV to apply an incorrect configuration when handling the request. If the applied configuration allows anonymous access, a malicious request can bypass authentication.
“Note that IIS would still process such a request in the security context of the configured anonymous user account,” the advisory continued. “Therefore, this vulnerability cannot be used to bypass NTFS ACLs. The restrictions imposed on the anonymous user account by file system ACLs will still be enforced.”
Only a specific configuration of IIS is at risk from the vulnerability, which may serve as an additional mitigation for the threat. The vulnerability is only at play if an IIS 5, 5.1 or 6.0 Web server is running with WebDAV enabled, the IIS server is using IIS permissions to restrict a subfolder of content to authenticated users, and file system access is granted for the restricted content to the IUSR_[MachineName] account. In addition, a parent folder of the private subfolder must allow anonymous access.
Also, the Windows Server 2003 IIS (Version 6) shipped with WebDAV disabled by default, Microsoft officials said.
Microsoft did not say whether or not the company would issue an out-of-band patch for the vulnerability. The next scheduled security release is June 9.