Microsoft Security Bulletin MS03-007 Unchecked buffer in Windows component could cause web server compromise (815021) Originally posted: March 17, 2003 Summary Who should read this bulletin: Systems administrators running Microsoft ® Windows ® 2000 Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Recommendation: Systems administrators should apply the patch immediately Affected Software: * Microsoft Windows 2000 Technical details Technical description: Microsoft Windows 2000 supports the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol. WebDAV, defined in RFC 2518, is a set of extensions to the Hyper Text Transfer Protocol (HTTP) that provide a standard for editing and file management between computers on the Internet. A security vulnerability is present in a Windows component used by WebDAV, and results because the component contains an unchecked buffer. An attacker could exploit the vulnerability by sending a specially formed HTTP request to a machine running Internet Information Server (IIS). The request could cause the server to fail or to execute code of the attacker's choice. The code would run in the security context of the IIS service (which, by default, runs in the LocalSystem context). Although Microsoft has supplied a patch for this vulnerability and recommends customers install the patch immediately, additional tools and preventive measures have been provided that customers can use to block the exploitation of this vulnerability while they are assessing the impact and compatibility of the patch. These temporary workarounds and tools are discussed in the "Workarounds" section in the FAQ below. Mitigating factors: * URLScan, which is a part of the IIS Lockdown Tool will block this attack in its default configurations * The vulnerability can only be exploited remotely if an attacker can establish a web session with an affected server Severity Rating: Windows 2000 Critical The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2003-0109 Tested Versions: Microsoft tested Windows NT 4.0, Windows 2000, and Windows XP, to assess whether they are affected by this vulnerability. Only Windows 2000 is affected by this bulletin. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities. Frequently asked questions What's the scope of the vulnerability? This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could gain complete control over an affected web server. This would give the attacker the ability to take any desired action on the server, including changing web pages, reformatting the hard drive or adding new users to the local administrators group. What causes the vulnerability? The vulnerability results because of an unchecked buffer in a component that can be called using WebDAV. By sending a specially constructed request through WebDAV, an attacker could cause code to run on a web server in the Local System security context. What is WebDAV? WebDAV is an industry standard extension to the HTTP specification. The "DAV" in "WebDAV" stands for "distributed authoring and versioning." WebDAV adds a capability for authorized users to remotely add and manage content on a web server. WebDAV is supported in Windows 2000. What's wrong with the way IIS 5.0 handles WebDAV requests? WebDAV uses IIS to pass requests to and from Windows 2000. When IIS receives a WebDAV request, it typically processes the request and then acts on it. However, if the request is formed in a particular way, a buffer overrun can result because one of the Windows components called by WebDAV does not correctly check parameters. Can the vulnerability be exploited on Windows NT 4.0 through IIS 4.0? No. WebDAV isn't supported in IIS 4.0, so the ability for an attacker to exploit the vulnerability doesn't exist. Can the vulnerability be exploited on Windows XP through IIS 5.1? No. This vulnerability is not present on Windows XP. How could an attacker exploit this vulnerability? An attacker could seek to exploit this vulnerability by sending a specially formed WebDAV request to a web server running IIS 5.0. Who could exploit the vulnerability? Any user who could deliver a WebDAV request to an affected web server could attempt to exploit the vulnerability. Because WebDAV requests travel over the same port as HTTP (normally port 80), this in essence means that any user who could establish a connection with an affected server could attempt to exploit the vulnerability. What would this allow an attacker to do? If an attacker were able to run code with Local System privileges on an affected system, the attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges. How do I know if I am running IIS? IIS 5.0 is installed by default on all server versions of Windows 2000. It is not installed on Windows 2000 Professional by default. To check if IIS is installed on your system, carry out the following: Go to "Start | Settings | Control Panel | Administrative Tools | Services". If the "World Wide Web Publishing" service is listed then IIS is installed. What products does IIS 5.0 ship with? Internet Information Services 5.0 ships as part of Windows 2000 Datacenter Server, Advanced Server, Server and Professional. Does IIS 5.0 run by default? IIS 5.0 runs by default on all Windows 2000 server products. It does not run by default on Windows 2000 Professional. Is WebDAV enabled by default on IIS 5.0? Yes, although it can be disabled by following the steps mentioned in the Workarounds section below. Workarounds Are there any workarounds that can be used to block exploitation of this vulnerability while I am testing or evaluating the patch? Yes. Although Microsoft urges all customers to apply the patch at the earliest possible opportunity, there are a number of workarounds that can be applied to block the WebDAV request used to exploit this vulnerability in the interim. In addition, Microsoft is providing tools and documentation to deploy these workarounds more easily. It should be noted that these workarounds should be considered temporary measures as they simply block the path of attack rather than correcting the underlying vulnerability. The following sections are intended to provide you with information to protect your computer from attack. Each section describes the workarounds that you may wish to use depending on your computer's configuration. * If you do not require IIS on your computer: IIS can be disabled by running IIS lockdown tool. The IIS lockdown tool is provided at the following location: http://www.microsoft.com/downloads/release.asp?ReleaseID=43955 Alternatively, you can also remove IIS by performing the steps listed in the following Knowledge Base article: http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B321141 * If you require IIS but do not need WebDAV enabled: WebDAV provides a standard for editing and file management between computers on the Internet. If you are not using WebDAV, you can disable it by running the IIS Lockdown tool and specifying to the tool that you do not use WebDAV. You can obtain the IIS Lockdown tool from the following location: http://www.microsoft.com/downloads/release.asp?ReleaseID=43955 Note that while the IIS Lockdown tool prevents the successful execution of this and many other attacks, it may interfere with the functioning of your web server under certain circumstances. While it is possible to limit your use of the IIS Lockdown tool to disabling WebDAV, you should consider applying all of the lockdown including URLScan. Information on using the IIS lockdown tool is provided at the following location: http://support.microsoft.com/default.aspx?scid=kb;EN-US;325864 You may also disable WebDAV by following the instructions listed in the Microsoft Knowledge Base article at: http://support.microsoft.com/default.aspx?scid=kb;en-us;241520 * If you require the use of WebDAV on your computer: There are a number of workarounds that can be applied to block the request used to exploit this vulnerability and retain WebDAV functionality if you are using it. + Customers that cannot deploy the IIS lockdown tool or URLScan to their web servers, can restrict the buffer used by IIS to receive the request that can be used to exploit this vulnerability. Microsoft has provided the URL Buffer Size Registry Tool to automatically set the registry key that will restrict the buffer. This tool can be run on Web Servers running Windows 2000 to protect against attacks that would attempt to exploit this vulnerability. The tool can be run locally on the web server to be protected, or it can be applied remotely to multiple web servers by a user who has administrative access to the servers. Information on the URL Buffer Size Registry Tool as well as additional workaround tools is located in the following Knowledge Base Article: http://support.microsoft.com/default.aspx?scid=kb;en-us;816930 The URL Buffer Size Registry tool can be run on systems running Windows 2000 Service Pack 2 or Service Pack 3. In addition, the registry change can be made manually by following the instructions in the following Knowledge Base article: http://support.microsoft.com/default.aspx?scid=kb;en-us;260694 Note that Customers should evaluate the maximum buffer size that is practical for their environment and set that maximum value, but in any case the buffer should be set to a size less than 64K bytes. Microsoft recommends 16K as a reasonable value. 16k is the limit that will automatically be set by the URL Buffer Size Registry tool. + URLScan, which is installed by the IIS Lockdown tool, will also block the web request that can be used to exploit this vulnerability. You can obtain the URLScan tool from: http://www.microsoft.com/technet/security/tools/tools/urlscan.a sp Note that while the IIS Lockdown tool prevents the successful execution of this and many other attacks, it may interfere with the functioning of your web server under certain circumstances. While it is possible to limit your use of the IIS Lockdown tool to installation of URLScan, you should consider applying all of the lockdown including URLScan. Information on customizing and configuring URLScan can be found at the following location: http://support.microsoft.com/default.aspx?scid=kb;[LN];326444 Information on using the IIS lockdown tool is provided at the following location: http://support.microsoft.com/default.aspx?scid=kb;EN-US;325864 What does the patch do? The patch corrects the issue by changing the method by which the affected Windows component accepts requests. Patch availability Download locations for this patch Microsoft Windows 2000: The patch for Windows 2000 is available at the following location: * All except Japanese NEC * Japanese NEC Additional information about this patch Installation platforms: This patch can be installed on systems running Windows 2000 Service Pack 2 or Service Pack 3. Inclusion in future service packs: The fix for this issue will be included in Windows 2000 Service Pack 4. Reboot needed: Yes Patch can be uninstalled: Yes Superseded patches: None. Verifying patch installation: * To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q815021. To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP4\Q815021\Filelist. Caveats: None Localization: Localized versions of this patch are available at the locations discussed in "Patch Availability". Obtaining other security patches: Patches for other security issues are available from the following locations: * Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". * Patches for consumer platforms are available from the WindowsUpdate web site Other information: Support: * Microsoft Knowledge Base article 815021 discusses this issue. Additional Knowledge Base articles can be found on the Microsoft Online Support web site. * Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: * V1.0 (March 17, 2003): Bulletin Created.