Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Vulnerability Alert

Microsoft Internet Information Services WebDav Unicode Processing Security Bypass Vulnerability

 
Threat Type:CWE-287: Authentication Issues
IntelliShield ID:18261
Version:3
First Published:2009 May 18 13:42 GMT
Last Published:2009 June 09 19:02 GMT
Port: 80
CVE:CVE-2009-1535
BugTraq ID:34993
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Mild Damage
CVSS Base:6.4 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:5.3
 
Version Summary:

Microsoft has released a security bulletin and software updates to address the Internet Information Services WebDav Unicode processing security bypass vulnerability.  US-CERT has released a vulnerability note.

 
 
Description

Microsoft Internet Information Services (IIS) versions 5.0, 5.1, and 6.0 contain a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information.

The vulnerability is due to improper processing of Unicode characters in HTTP requests.  An unauthenticated, remote attacker could exploit this vulnerability by sending a malicious HTTP request to the system.  An exploit could allow the attacker to bypass security restrictions and download arbitrary files from the targeted system.

Exploit code is available.

Microsoft has confirmed this vulnerability in a security bulletin and released software updates.

 
Warning Indicators

Microsoft IIS versions 5.0, 5.1, and 6.0 are vulnerable.

 
IntelliShield Analysis

Only systems that have WebDav enabled are affected by this vulnerability.  In addition, attackers must be able to send HTTP requests to the vulnerable system to accomplish an exploit.  Depending on system configuration, an attacker may require access to internal networks to connect to a targeted system.

An exploit could allow the attacker to bypass security restrictions and access files stored on a targeted server, which may result in the disclosure of sensitive information.  Default IIS configurations restrict the actions that an attacker could perform.  Because an exploit only allows the attacker to take actions with the anonymous web account, he or she could only view files that allow IUSR access.  The attacker could not write files to IIS folders.

Administrators of sites that are hosting sensitive information on IIS servers that use WebDav are advised to put effective mitigations into place immediately because exploit code is publicly available.  However, there have been no public reports of exploits that attempt to leverage this vulnerability.

The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities that Microsoft disclosed in the June 2009 security bulletin release. This Cisco bulletin, which assists administrators in identifying or mitigating these vulnerabilities using Cisco devices, is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin Release for June 2009

 
Vendor Announcements

Microsoft has released a security bulletin at the following link: MS09-020

Microsoft has released a security advisory at the following link: 971492

US-CERT has released a vulnerability note at the following link: VU#787932

 
Impact

An unauthenticated, remote attacker could exploit this vulnerability to download or upload arbitrary files from a protected WebDav resource without authentication.

 
Technical Information

The vulnerability is due to improper processing of Unicode characters in HTTP requests.? When IIS is configured with WebDav, it improperly translates Unicode %c0%af (/) characters.? Microsoft IIS may process an HTTP request that contains the character before requiring authentication to a protected resource.? An unauthenticated, remote attacker could exploit this vulnerability by sending a malicious HTTP request to the targeted server.? An exploit could allow the attacker to list directory contents or download protected files that are hosted by IIS without providing authentication credentials.? Although the attacker could view any files with the privileges of the anonymous IUSR account, write access to folders that are hosted within IIS is disabled by default to the anonymous web user.

 
Safeguards

Administrators are advised to apply the appropriate update.

Administrators are advised to restrict network access to affected systems.

Administrators may consider disabling WebDav.

Administrators may consider employing file-level access controls to restrict the anonymous web user account from accessing critical files.

Administrators are advised to monitor logging information for critical systems for the %c0%af character in HTTP requests.  Such requests may indicate exploit attempts.

 
Patches/Software

Microsoft customers can obtain updates directly by using the links in the security bulletin.  These updates are also distributed by Windows automatic update features and available on the Windows Update website.  Microsoft Windows Server Update Services (WSUS), Systems Management Server, and System Center Configuration Manager can assist administrators in deploying software updates.


Signatures
 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
5114/1WWW IIS Unicode AttackS4012009 May 13 
5114/9WWW IIS Unicode AttackS5852011 Jul 28 
Cisco Small Business IPS
Signature IDSignature NameReleaseLatest Release Date
SBIPS2010-000085/WWW IIS Unicode AttackSBIPS0000042010 Jun 10 
 
Alert History
 

Version 2, May 19, 2009, 10:54 AM: Microsoft has released a security advisory to address the Internet Information Services WebDav Unicode processing security bypass vulnerability.

Version 1, May 18, 2009, 9:42 AM: Microsoft Internet Information Services contains a vulnerability that could allow an unauthenticated, remote attacker to bypass security restrictions and access sensitive information.  Updates are unavailable.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
Microsoft, Inc.Internet Information Services (IIS) 5.1 Base | 6.0 Base

Associated Products:
Microsoft, Inc.Windows Server 2003 Datacenter Edition Base, SP1, SP2 | Datacenter Edition, 64-bit (Itanium) Base, SP1, SP2 | Datacenter Edition x64 (AMD/EM64T) Base, SP2 | Enterprise Edition Base, SP1, SP2 | Enterprise Edition, 64-bit (Itanium) Base, SP1, SP2 | Enterprise Edition x64 (AMD/EM64T) Base, SP2 | Standard Edition Base, SP1, SP2 | Standard Edition, 64-bit (Itanium) Base, SP1, SP2 | Standard Edition x64 (AMD/EM64T) Base, SP2 | Web Edition Base, SP1, SP2
Microsoft, Inc.Windows XP Professional Edition Base, SP1, SP2, SP3 | Professional x64 (AMD/EM64T) Base, SP2




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield