Microsoft has released a security bulletin and software updates to address the Internet Information Services WebDav Unicode processing security bypass vulnerability. US-CERT has released a vulnerability note.
Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information.
The vulnerability is due to improper processing of Unicode characters in HTTP requests. An unauthenticated, remote attacker could exploit this vulnerability by sending a malicious HTTP request to the system. An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system.
Exploit code is available.
Microsoft has confirmed this vulnerability in a security bulletin and released software updates.
Microsoft IIS versions 5.0, 5.1, and 6.0 are vulnerable.
Only systems that have WebDav enabled are affected by this vulnerability. In addition, attackers must be able to send HTTP requests to the vulnerable system to accomplish an exploit. Depending on system configuration, an attacker may require access to internal networks to connect to a targeted system.
An exploit could allow the attacker to bypass security restrictions and access files stored on a targeted server, which may result in the disclosure of sensitive information. Default IIS configurations restrict the actions that an attacker could perform. Because an exploit only allows the attacker to take actions with the anonymous web account, he or she could only view files that allow IUSR access. The attacker could not write files to IIS folders.
Administrators of sites that are hosting sensitive information on IIS servers that use WebDav are advised to put effective mitigations into place immediately because exploit code is publicly available. However, there have been no public reports of exploits that attempt to leverage this vulnerability.
Microsoft has released a security bulletin at the following link: MS09-020
Microsoft has released a security advisory at the following link: 971492
US-CERT has released a vulnerability note at the following link: VU#787932
An unauthenticated, remote attacker could exploit this vulnerability to download or upload arbitrary files from a protected WebDav resource without authentication.
The vulnerability is due to improper processing of Unicode characters in HTTP requests.† When IIS is configured with WebDav, it improperly translates Unicode %c0%af (/) characters.† Microsoft IIS may process an HTTP request that contains the character before requiring authentication to a protected resource.† An unauthenticated, remote attacker could exploit this vulnerability by sending a malicious HTTP request to the targeted server.† An exploit could allow the attacker to list directory contents or download protected files that are hosted by IIS without providing authentication credentials.† Although the attacker could view any files with the privileges of the anonymous IUSR account, write
access to folders that are hosted within IIS is disabled by default to the anonymous web user.
Administrators are advised to apply the appropriate update.
Administrators are advised to restrict network access to affected systems.
Administrators may consider disabling WebDav.
Administrators may consider employing file-level access controls to restrict the anonymous web user account from accessing critical files.
Administrators are advised to monitor logging information for critical systems for the %c0%af character in HTTP requests. Such requests may indicate exploit attempts.
Microsoft customers can obtain updates directly by using the links in the security bulletin. These updates are also distributed by Windows automatic update features and available on the Windows Update website. Microsoft Windows Server Update Services (WSUS), Systems Management Server, and System Center Configuration Manager can assist administrators in deploying software updates.
Version 2, May 19, 2009, 10:54 AM: Microsoft has released a security advisory to address the Internet Information Services WebDav Unicode processing security bypass vulnerability.
Version 1, May 18, 2009, 9:42 AM: Microsoft Internet Information Services contains a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information. Updates are unavailable.
Professional Edition Base, SP1, SP2, SP3 | Professional x64 (AMD/EM64T) Base, SP2
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.