Re: Article on WebDAV Vulnerability (MS03-007)

From: aladin (
Date: 03/25/03

From: (aladin)
Date: 25 Mar 2003 10:39:56 -0800

"Karl Levinson [x y] mvp" <> wrote in message news:<#X4lw1k8CHA.2040@TK2MSFTNGP10.phx.gbl>...
> "aladin" <> wrote in message
> > KLC Consulting has published an article on the MS03-007 WebDAV
> > Vulnerability, which includes detection and mitigation
> > recommendations. This article consolidates many experts' inputs and
> > discussions. The URL is:
> >
> Yes, yes, it's true that the patch is "the only way to be secure from this."
> However, IMHO some sources were too quick to remove and discount using
> URLScan and other tools IN ADDITION to the patch. The reason why the Army
> servers were hacked was they were relying on patches for security and not
> using URLScan, which would have prevented this compromise and other future
> IIS compromises. I hope those people got the message about the usefulness
> of ALSO using URLScan in addition to patching before the NTBugTraq FAQ on
> this was taken down.
> RE: the reference to ISS for signatures to detect this exploit, ISS does not
> disclose their IDS signatures to anyone, not even their customers, much to
> the dismay of their customers. Also, I understand that ISS recently forced
> all their SiteProtector IDS customers to upgrade to the brand new
> SiteProtector 2.0 by immediately ceasing to produce new signatures for the
> previous version with zero overlap... even though it had just emerged from
> beta and still has bugs. I suppose their article is still useful for
> generally understanding this exploit, but unless I'm wrong, they're probably
> not ever going to be a useful place to get IDS signatures.

I agree with you there. I think URLScan and IISLockdown tools should
use in addition to the patch from Microsoft to prevent WebDAV and
other known IIS attacks. With the WebDAV patch alone, it only protect
systems from WebDAV vulnerabilities.

In terms of the signatures, if you know the attacks/exploits, then you
can create a set of signature for your IDS systems. All the WebDAV
commands that can query or pass characters to the servers have this
vulnerability, i.e. POST, SEARCH, ...

If you use Nessus, there is a detection rule from the Nessus website.
The URL is listed in "Detection" section of the KLC's article:

One version of exploit is at, where
it used "POST" command to test. However, as I mentioned earlier,
other commands can achieve the similar attacks.

Therefore, apply the patch from Microsoft ASAP.


KLC Consulting, Inc.