[NT] Unchecked Buffer in Windows Component could Cause Web Server Compromise (WebDAV)
From: support@securiteam.com
Date: 03/19/03
- Previous message: support@securiteam.com: "[UNIX] Security Bugfix for Samba (SMB/CIFS Overflow)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 19 Mar 2003 12:33:58 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
Unchecked Buffer in Windows Component could Cause Web Server Compromise
(WebDAV)
------------------------------------------------------------------------
SUMMARY
Microsoft Windows 2000 supports the World Wide Web Distributed Authoring
and Versioning (WebDAV) protocol. WebDAV, defined in RFC 2518, is a set of
extensions to the Hyper Text Transfer Protocol (HTTP) that provide a
standard for editing and file management between computers on the
Internet. A security vulnerability is present in a Windows component used
by WebDAV, Ntdll.dll, and results because the component contains an
unchecked buffer.
An attacker could exploit the vulnerability by sending a specially formed
HTTP request to a machine running Internet Information Server (IIS). The
request could cause the server to fail or to execute code of the
attacker's choice. The code would run in the security context of the IIS
service (which, by default, runs in the LocalSystem context).
Although Microsoft has supplied a patch for this vulnerability and
recommends all affected customers install the patch immediately,
additional tools and preventive measures have been provided which
customers can use to block the exploitation of this vulnerability while
they are assessing the impact and compatibility of the patch. These
temporary workarounds and tools are discussed in the "Workarounds" section
in the FAQ below.
DETAILS
Affected Software:
* Microsoft Windows 2000
Mitigating factors:
* URLScan, which is a part of the IIS Lockdown Tool will block this
attack in its default configuration
* The vulnerability can only be exploited remotely if an attacker can
establish a web session with an affected server
Patch availability:
Download locations for this patch Microsoft Windows 2000:
The patch for Windows 2000 is available at the following location:
*
<http://microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E-C69D32AC929B&displaylang=en> All except Japanese NEC
*
<http://microsoft.com/downloads/details.aspx?FamilyId=FBCF9847-D3D6-4493-8DCF-9BA29263C49F&displaylang=ja> Japanese NEC
Why has Microsoft changed the information in the Caveats section of this
bulletin?
Microsoft was made aware that some customers who had received a HotFix
from Product Support Services experienced stop errors on boot after
applying the patch released for this bulletin.
Microsoft has assessed this issue and now knows that it only occurs under
a specific set of circumstances. A series of Windows 2000 HotFixes that
were only available through Product Support Services and were issued
between December 2001 and February 2002 were incompatible with the patch
for this vulnerability. Customers who are running one of those 12 HotFixes
on Windows 2000 Service Pack 2 will experience a stop error on reboot
after applying this patch. More information on how to determine if you
have installed a HotFix that is incompatible with this patch is available
in the Addition Information section under Caveats.
Customers who are running Windows 2000 Service Pack 3 or are not running
one of these HotFixes will not encounter this problem.
What's the scope of the vulnerability?
This is a buffer-overrun vulnerability. An attacker who successfully
exploited this vulnerability could gain complete control over an affected
web server. This would give the attacker the ability to take any desired
action on the server, including changing web pages, reformatting the hard
drive or adding new users to the local administrators group.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer in a component of
Windows, Ntdll.dll, that can be called using WebDAV. By sending a
specially constructed request through WebDAV, an attacker could cause code
to run on a web server in the Local System security context.
What is WebDAV?
WebDAV is an industry standard extension to the HTTP specification. The
"DAV" in "WebDAV" stands for "distributed authoring and versioning".
WebDAV adds a capability for authorized users to remotely add and manage
content on a web server. WebDAV is supported in Windows 2000.
What's wrong with the way IIS 5.0 handles WebDAV requests?
WebDAV uses IIS to pass requests to and from Windows 2000. When IIS
receives a WebDAV request, it typically processes the request and then
acts on it. However, if the request is formed in a particular way, a
buffer overrun can result because one of the Windows components called by
WebDAV does not correctly check parameters.
Can the vulnerability be exploited on Windows NT 4.0 through IIS 4.0?
No. WebDAV is not supported in IIS 4.0, so the ability for an attacker to
exploit the vulnerability does not exist.
Can the vulnerability be exploited on Windows XP through IIS 5.1?
No. This vulnerability is not present on Windows XP.
If I have confirmed I am not running IIS 5.0 should I still install the
patch?
Yes. Disabling or modifying IIS 5.0 will still leave the vulnerable
Windows component on the system. All customers running Windows 2000 should
install the patch.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by sending a
specially formed WebDAV request to a web server running IIS 5.0.
Who could exploit the vulnerability?
Any user who could deliver a WebDAV request to an affected web server
could attempt to exploit the vulnerability. Because WebDAV requests travel
over the same port as HTTP (normally port 80), this in essence means that
any user who could establish a connection with an affected server could
attempt to exploit the vulnerability.
What would this allow an attacker to do?
If an attacker were able to run code with Local System privileges on an
affected system, the attacker would be able to take any action on the
system, including installing programs, viewing changing or deleting data,
or creating new accounts with full privileges.
How do I know if I am running IIS?
IIS 5.0 is installed by default on all server versions of Windows 2000. It
is not installed on Windows 2000 Professional by default.
To check if IIS is installed on your system, carry out the following: Go
to "Start | Settings | Control Panel | Administrative Tools | Services".
If the "World Wide Web Publishing" service is listed then IIS is
installed.
What products does IIS 5.0 ship with?
Internet Information Services 5.0 ships as part of Windows 2000 Datacenter
Server, Advanced Server, Server, and Professional.
Does IIS 5.0 run by default?
IIS 5.0 runs by default on all Windows 2000 server products. It does not
run by default on Windows 2000 Professional.
Is WebDAV enabled by default on IIS 5.0?
Yes, although it can be disabled by following the steps mentioned in the
Workarounds section below.
Workarounds:
Are there any workarounds that can be used to block exploitation of this
vulnerability while I am testing or evaluating the patch?
Yes. Although Microsoft urges all customers to apply the patch at the
earliest possible opportunity, there are a number of workarounds that can
be applied to block the WebDAV request used to exploit this vulnerability
in the interim. In addition, Microsoft is providing tools and
documentation to deploy these workarounds more easily.
It should be noted that these workarounds should be considered temporary
measures as they simply block the path of attack rather than correcting
the underlying vulnerability.
The following sections are intended to provide you with information to
protect your computer from attack. Each section describes the workarounds
that you may wish to use depending on your computer's configuration.
If you do not require IIS on your computer:
IIS can be disabled by running IIS lockdown tool. The IIS lockdown tool is
provided at the following location:
<http://www.microsoft.com/downloads/release.asp?ReleaseID=43955>
http://www.microsoft.com/downloads/release.asp?ReleaseID=43955
Alternatively, you can also remove IIS by performing the steps listed in
the following Knowledge Base article:
<http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B321141>
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B321141
If you require IIS but do not need WebDAV enabled:
WebDAV provides a standard for editing and file management between
computers on the Internet. If you are not using WebDAV, you can disable it
by running the IIS Lockdown tool and specifying to the tool that you do
not use WebDAV. You can obtain the IIS Lockdown tool from the following
location:
<http://www.microsoft.com/downloads/release.asp?ReleaseID=43955>
http://www.microsoft.com/downloads/release.asp?ReleaseID=43955
Note that while the IIS Lockdown tool prevents the successful execution of
this and many other attacks, it may interfere with the functioning of your
web server under certain circumstances. While it is possible to limit your
use of the IIS Lockdown tool to disabling WebDAV, you should consider
applying all of the lockdown including URLScan. Information on using the
IIS lockdown tool is provided at the following location:
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;325864>
http://support.microsoft.com/default.aspx?scid=kb;EN-US;325864
You may also disable WebDAV by following the instructions listed in the
Microsoft Knowledge Base article at:
<http://support.microsoft.com/default.aspx?scid=kb;en-us;241520>
http://support.microsoft.com/default.aspx?scid=kb;en-us;241520
If you require the use of WebDAV on your computer:
There are a number of workarounds that can be applied to block the request
used to exploit this vulnerability and retain WebDAV functionality if you
are using it.
Customers that cannot deploy the IIS lockdown tool or URLScan to their web
servers can restrict the buffer used by IIS to receive the request that
can be used to exploit this vulnerability. Microsoft has provided the URL
Buffer Size Registry Tool to automatically set the registry key that will
restrict the buffer. This tool can be run on Web Servers running Windows
2000 to protect against attacks that would attempt to exploit this
vulnerability. The tool can be run locally on the web server to be
protected, or it can be applied remotely to multiple web servers by a user
who has administrative access to the servers. Information on the URL
Buffer Size Registry Tool as well as additional workaround tools is
located in the following Knowledge Base Article:
<http://support.microsoft.com/default.aspx?scid=kb;en-us;816930>
http://support.microsoft.com/default.aspx?scid=kb;en-us;816930
The URL Buffer Size Registry tool can be run on systems running Windows
2000 Service Pack 2 or Service Pack 3. In addition, the registry change
can be made manually by following the instructions in the following
Knowledge Base article:
<http://support.microsoft.com/default.aspx?scid=kb;en-us;260694>
http://support.microsoft.com/default.aspx?scid=kb;en-us;260694
Note that Customers should evaluate the maximum buffer size that is
practical for their environment and set that maximum value, but in any
case, the buffer should be set to size less than 64K bytes. Microsoft
recommends 16K as a reasonable value. The value of 16k is the limit that
will automatically be set by the URL Buffer Size Registry tool.
URLScan, which is installed by the IIS Lockdown tool, will also block the
web request that can be used to exploit this vulnerability. You can obtain
the URLScan tool from:
<http://www.microsoft.com/technet/security/tools/tools/urlscan.asp>
http://www.microsoft.com/technet/security/tools/tools/urlscan.asp
Note that while the IIS Lockdown tool prevents the successful execution of
this and many other attacks, it may interfere with the functioning of your
web server under certain circumstances. While it is possible to limit your
use of the IIS Lockdown tool to installation of URLScan, you should
consider applying all of the lockdown including URLScan.
Information on customizing and configuring URLScan can be found at the
following location:
<http://support.microsoft.com/default.aspx?scid=kb;[LN];326444>
http://support.microsoft.com/default.aspx?scid=kb;[LN];326444
Information on using the IIS lockdown tool is provided at the following
location:
<http://support.microsoft.com/default.aspx?scid=kb;EN-US;325864>
http://support.microsoft.com/default.aspx?scid=kb;EN-US;325864
What does the patch do?
The patch corrects the issue by changing the method by which the affected
Windows component accepts requests.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:0_45608_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US@Newsletters.Microsoft.com> Microsoft Product Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Security Bugfix for Samba (SMB/CIFS Overflow)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
