exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ms03-007

ms03-007
Posted Mar 17, 2003
Site microsoft.com

Microsoft Security Advisory MS03-007 - A critical buffer overflow vulnerability in Windows 2000's WebDAV protocol allows remote code execution via IIS as the LocalSystem user. This vulnerability is being exploited in the wild. URLScan, a part of the IIS Lockdown Tool, will block this attack.

tags | remote, overflow, code execution, protocol
systems | windows
SHA-256 | 228598fd496fa3d0bbdf98a8f5094d8923d56e083bc7b109b4eca59861da6d9d

ms03-007

Change Mirror Download
Microsoft Security Bulletin MS03-007


Unchecked buffer in Windows component could cause web server compromise
(815021)

Originally posted: March 17, 2003

Summary

Who should read this bulletin: Systems administrators running
Microsoft ® Windows ® 2000

Impact of vulnerability: Run code of attacker's choice

Maximum Severity Rating: Critical

Recommendation: Systems administrators should apply the patch
immediately

Affected Software:
* Microsoft Windows 2000

Technical details

Technical description:

Microsoft Windows 2000 supports the World Wide Web Distributed
Authoring and Versioning (WebDAV) protocol. WebDAV, defined in RFC
2518, is a set of extensions to the Hyper Text Transfer Protocol
(HTTP) that provide a standard for editing and file management
between computers on the Internet. A security vulnerability is
present in a Windows component used by WebDAV, and results because
the component contains an unchecked buffer.

An attacker could exploit the vulnerability by sending a specially
formed HTTP request to a machine running Internet Information Server
(IIS). The request could cause the server to fail or to execute code
of the attacker's choice. The code would run in the security context
of the IIS service (which, by default, runs in the LocalSystem
context).

Although Microsoft has supplied a patch for this vulnerability and
recommends customers install the patch immediately, additional tools
and preventive measures have been provided that customers can use to
block the exploitation of this vulnerability while they are assessing
the impact and compatibility of the patch. These temporary
workarounds and tools are discussed in the "Workarounds" section in
the FAQ below.

Mitigating factors:
* URLScan, which is a part of the IIS Lockdown Tool will block this
attack in its default configurations
* The vulnerability can only be exploited remotely if an attacker can
establish a web session with an affected server

Severity Rating:

Windows 2000 Critical

The above assessment is based on the types of systems affected by the
vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0109

Tested Versions:
Microsoft tested Windows NT 4.0, Windows 2000, and Windows XP, to
assess whether they are affected by this vulnerability. Only Windows
2000 is affected by this bulletin. Previous versions are no longer
supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

What's the scope of the vulnerability?

This is a buffer overrun vulnerability. An attacker who successfully
exploited this vulnerability could gain complete control over an
affected web server. This would give the attacker the ability to take
any desired action on the server, including changing web pages,
reformatting the hard drive or adding new users to the local
administrators group.

What causes the vulnerability?

The vulnerability results because of an unchecked buffer in a
component that can be called using WebDAV. By sending a specially
constructed request through WebDAV, an attacker could cause code to
run on a web server in the Local System security context.

What is WebDAV?

WebDAV is an industry standard extension to the HTTP specification.
The "DAV" in "WebDAV" stands for "distributed authoring and
versioning." WebDAV adds a capability for authorized users to
remotely add and manage content on a web server. WebDAV is supported
in Windows 2000.

What's wrong with the way IIS 5.0 handles WebDAV requests?

WebDAV uses IIS to pass requests to and from Windows 2000. When IIS
receives a WebDAV request, it typically processes the request and
then acts on it. However, if the request is formed in a particular
way, a buffer overrun can result because one of the Windows
components called by WebDAV does not correctly check parameters.

Can the vulnerability be exploited on Windows NT 4.0 through IIS 4.0?

No. WebDAV isn't supported in IIS 4.0, so the ability for an attacker
to exploit the vulnerability doesn't exist.

Can the vulnerability be exploited on Windows XP through IIS 5.1?

No. This vulnerability is not present on Windows XP.

How could an attacker exploit this vulnerability?

An attacker could seek to exploit this vulnerability by sending a
specially formed WebDAV request to a web server running IIS 5.0.

Who could exploit the vulnerability?

Any user who could deliver a WebDAV request to an affected web server
could attempt to exploit the vulnerability. Because WebDAV requests
travel over the same port as HTTP (normally port 80), this in essence
means that any user who could establish a connection with an affected
server could attempt to exploit the vulnerability.

What would this allow an attacker to do?

If an attacker were able to run code with Local System privileges on
an affected system, the attacker would be able to take any action on
the system, including installing programs, viewing changing or
deleting data, or creating new accounts with full privileges.

How do I know if I am running IIS?

IIS 5.0 is installed by default on all server versions of Windows
2000. It is not installed on Windows 2000 Professional by default.

To check if IIS is installed on your system, carry out the following:
Go to "Start | Settings | Control Panel | Administrative Tools |
Services". If the "World Wide Web Publishing" service is listed then
IIS is installed.

What products does IIS 5.0 ship with?

Internet Information Services 5.0 ships as part of Windows 2000
Datacenter Server, Advanced Server, Server and Professional.

Does IIS 5.0 run by default?

IIS 5.0 runs by default on all Windows 2000 server products. It does
not run by default on Windows 2000 Professional.

Is WebDAV enabled by default on IIS 5.0?

Yes, although it can be disabled by following the steps mentioned in
the Workarounds section below.

Workarounds

Are there any workarounds that can be used to block exploitation of
this vulnerability while I am testing or evaluating the patch?

Yes. Although Microsoft urges all customers to apply the patch at the
earliest possible opportunity, there are a number of workarounds that
can be applied to block the WebDAV request used to exploit this
vulnerability in the interim. In addition, Microsoft is providing
tools and documentation to deploy these workarounds more easily.

It should be noted that these workarounds should be considered
temporary measures as they simply block the path of attack rather
than correcting the underlying vulnerability.

The following sections are intended to provide you with information
to protect your computer from attack. Each section describes the
workarounds that you may wish to use depending on your computer's
configuration.

* If you do not require IIS on your computer:
IIS can be disabled by running IIS lockdown tool. The IIS lockdown
tool is provided at the following location:
http://www.microsoft.com/downloads/release.asp?ReleaseID=43955
Alternatively, you can also remove IIS by performing the steps
listed in the following Knowledge Base article:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B321141
* If you require IIS but do not need WebDAV enabled:
WebDAV provides a standard for editing and file management between
computers on the Internet. If you are not using WebDAV, you can
disable it by running the IIS Lockdown tool and specifying to the
tool that you do not use WebDAV. You can obtain the IIS Lockdown
tool from the following location:
http://www.microsoft.com/downloads/release.asp?ReleaseID=43955
Note that while the IIS Lockdown tool prevents the successful
execution of this and many other attacks, it may interfere with the
functioning of your web server under certain circumstances. While it
is possible to limit your use of the IIS Lockdown tool to disabling
WebDAV, you should consider applying all of the lockdown including
URLScan. Information on using the IIS lockdown tool is provided at
the following location:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;325864
You may also disable WebDAV by following the instructions listed in
the Microsoft Knowledge Base article at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;241520
* If you require the use of WebDAV on your computer:
There are a number of workarounds that can be applied to block the
request used to exploit this vulnerability and retain WebDAV
functionality if you are using it.
+ Customers that cannot deploy the IIS lockdown tool or URLScan
to their web servers, can restrict the buffer used by IIS to
receive the request that can be used to exploit this
vulnerability. Microsoft has provided the URL Buffer Size
Registry Tool to automatically set the registry key that will
restrict the buffer. This tool can be run on Web Servers
running Windows 2000 to protect against attacks that would
attempt to exploit this vulnerability. The tool can be run
locally on the web server to be protected, or it can be applied
remotely to multiple web servers by a user who has
administrative access to the servers. Information on the URL
Buffer Size Registry Tool as well as additional workaround
tools is located in the following Knowledge Base Article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;816930
The URL Buffer Size Registry tool can be run on systems running
Windows 2000 Service Pack 2 or Service Pack 3. In addition, the
registry change can be made manually by following the
instructions in the following Knowledge Base article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;260694
Note that Customers should evaluate the maximum buffer size
that is practical for their environment and set that maximum
value, but in any case the buffer should be set to a size less
than 64K bytes. Microsoft recommends 16K as a reasonable value.
16k is the limit that will automatically be set by the URL
Buffer Size Registry tool.
+ URLScan, which is installed by the IIS Lockdown tool, will also
block the web request that can be used to exploit this
vulnerability. You can obtain the URLScan tool from:
http://www.microsoft.com/technet/security/tools/tools/urlscan.a
sp
Note that while the IIS Lockdown tool prevents the successful
execution of this and many other attacks, it may interfere with
the functioning of your web server under certain circumstances.
While it is possible to limit your use of the IIS Lockdown tool
to installation of URLScan, you should consider applying all of
the lockdown including URLScan.
Information on customizing and configuring URLScan can be found
at the following location:
http://support.microsoft.com/default.aspx?scid=kb;[LN];326444
Information on using the IIS lockdown tool is provided at the
following location:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;325864

What does the patch do?

The patch corrects the issue by changing the method by which the
affected Windows component accepts requests.

Patch availability

Download locations for this patch Microsoft Windows 2000:

The patch for Windows 2000 is available at the following location:

* All except Japanese NEC
* Japanese NEC

Additional information about this patch

Installation platforms:
This patch can be installed on systems running Windows 2000 Service
Pack 2 or Service Pack 3.

Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 Service Pack
4.

Reboot needed: Yes

Patch can be uninstalled: Yes

Superseded patches: None.

Verifying patch installation:
* To verify that the patch has been installed on the machine, confirm
that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows
2000\SP4\Q815021.
To verify the individual files, use the date/time and version
information provided in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows
2000\SP4\Q815021\Filelist.

Caveats:
None

Localization:
Localized versions of this patch are available at the locations
discussed in "Patch Availability".

Obtaining other security patches:
Patches for other security issues are available from the following
locations:
* Security patches are available from the Microsoft Download Center,
and can be most easily found by doing a keyword search for
"security_patch".
* Patches for consumer platforms are available from the WindowsUpdate
web site

Other information:

Support:
* Microsoft Knowledge Base article 815021 discusses this issue.
Additional Knowledge Base articles can be found on the Microsoft
Online Support web site.
* Technical support is available from Microsoft Product Support
Services. There is no charge for support calls associated with
security patches.

Security Resources: The Microsoft TechNet Security Web Site provides
additional information about security in Microsoft products.

Disclaimer:
The information provided in the Microsoft Knowledge Base is provided
"as is" without warranty of any kind. Microsoft disclaims all
warranties, either express or implied, including the warranties of
merchantability and fitness for a particular purpose. In no event
shall Microsoft Corporation or its suppliers be liable for any
damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Microsoft Corporation or its suppliers have been advised of the
possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential or incidental damages so
the foregoing limitation may not apply.

Revisions:
* V1.0 (March 17, 2003): Bulletin Created.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close