Microsoft Windows 2000 Service Pack 3 and Service Pack 4, XP Service Pack 1 and prior, XP 64-Bit Edition and Server 2003 running IIS 5.0, 5.1 or 6.0 contain a vulnerability that can allow a remote attacker to create a denial of service (DoS) condition. The vulnerability can only be exploited when IIS is running and WebDAV is enabled. On systems running Windows 2000, WebDAV is enabled by default when IIS is enabled. IIS 5.1 and 6.0 do not enable WebDAV by default.
The vulnerability exists due to how IIS handles WebDAV requests. IIS fails to properly filter requests that exceed a certain number of XML attributes, as WebDAV does not limit the number of attributes it accepts before passing on the request. An attacker can send a
crafted WebDAV request to cause IIS to consume all CPU and memory resources, resulting in a DoS condition.
Exploit code is available to demonstrate the vulnerability.
Patches are available.