Microsoft Downplays IIS Bug Threat

snydeq writes "Microsoft confirmed that its IIS Web-server software contains a vulnerability that could let attackers steal data, but downplayed the threat, saying 'only a specific IIS configuration is at risk from this vulnerability.' The flaw, which involves how Microsoft's software processes Unicode tokens, has been found to give attackers a way to view protected files on IIS Web servers without authorization. The vulnerability, exposed by Nikolaos Rangos, could be used to upload files as well. Affecting IIS 6 users who have enabled WebDAV for sharing documents via the Web, the flaw is currently being exploited in online attacks, according to CERT, and is reminiscent of the well-known IIS unicode path traversal issue of 2001, one of the worst Windows vulnerabilities of the past decade."

Re:WebDAV used much?

[Shados]

Yup. You need a fairly specific setup: WebDav enabled on the same application as NTLM authentication (kerberos and anonymous/form is ok as far as I understand), and there must not be anything on top of WebDev for authentication (such as one of the various single signon ISAPIs or a CMS exposing its content through webdav with some form of custom security schemes).

Since no one in their right mind will have WebDav and NTLM exposed to a public site, then the "hackers" can only come from within in the vast majority of scenarios. Don't get me wrong: that is severe, as most hacking DOES come from within.

What makes it far more major, is that its one of the extremely rare remotely exploitable vulnerability that IIS6 have had. Contrary to Slashdot beleif, IIS6 (IIS7 more so though) is totally rock solid and extremely secure, so having something like that pop up is quite scary.

Not a typical configuration

[jsnipy]

This is really not a typically configuration for an outward facing site. Acting like this is some great find and "game over" scenario is a little far fetched. "Downplay" is flamebait in this context. But, it does make a good m$ bashing opportunity!

For more information

[itayperl]

See http://milw0rm.com/exploits/8704 [milw0rm.com].

The researcher nixes MS downplaying

[Twillerror]

http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html [zoller.lu]

Several news stories seem to allude that Microsoft is artificially downplaying the threat, citations of myself are used to underline the headline in an "us against Microsoft" kind of way. I want to clarify that I have the utmost respect of the MSRC team and I don't suspect Microsoft to willingly downplay anything. They also claim I am from Belgium, I am obviously from Luxembourg. The bug also is not the same as the IIS4/5 one, it's root cause is similar. That's about it.

Re:'only a specific IIS configuration is at risk'

[Anonymous Coward]

Only servers with WEBDAV installed are vulnerable. WEBDAV is not installed and configured by default.

Only IIS 5, 5.1 and 6 are potentially vulnerable under these conditions.

IIS 7 is not vulnerable even with WEBDAV installed.

Re:WebDAV used much?

[blincoln]

Since no one in their right mind will have WebDav and NTLM exposed to a public site

They will if they're running Outlook Web Access, and haven't manually disabled NTLM using a command-line vbscript that comes with IIS.

Re:'only a specific IIS configuration is at risk'

[Ralish]

Did they give any configuration which is not at risk?

Yes, several: More information about the IIS authentication bypass [technet.com]

Worth noting that this only affects IIS 5.x and 6.x, which admittedly, accounts for the huge majority of IIS webservers, but IIS 7.x (Windows Server 2008 and above) are not affected.

Re:Serious question

[dkleinsc]

For lazy people, about 3 vulnerabilities classified as "Highly" critical, 0 "Extremely", out of a total of around 50 across Apache 1, Apache 2.0.x, and Apache 2.2.x. Of the 50, the vast majority are at least partially fixed.

It's hard to get a fix on equivalent numbers for IIS, since they all seem to fall under the MS Windows category.

Re:'only a specific IIS configuration is at risk'

[timbck2]

IIRC, WebDAV *is* configured by default on IIS 5. Here's a link to instructions on disabling it (the procedure involves adding a registry value and restarting IIS):

Microsoft KB Article #241520 [microsoft.com]

Re:WebDAV used much?

[blincoln]

There is so much wrong with that statement... First if it is a vbscript, it isn't manual and it isn't command-line.

Do me a favour. Find your IIS root folder (C:\Inetpub by default). Go into the AdminScripts subfolder. Try double-clicking adsutil.vbs and see how well it works running as a GUI app instead of being called from the command line using cscript.

Also when using Windows Integrated Auth, Kerberos is the default authentication. If Kerberos fails, then it uses NTLM. Unless you can provide a link that says otherwise...

Kerberos is allowed by default, but so is NTLM. If you want to *disallow* NTLM, you have to do this using the script I mentioned above, and in my original post. The syntax is e.g.:

cscript -nologo adsutil.vbs SET w3svc/1/root/NTAuthenticationProviders "Negotiate"

Seems pretty manual to me. But what do I know?

PS: You can verify this on your IIS install using the GET version of that command. The default is "Negotiate,NTLM" (which is also true if it's not explicitly defined). Most IIS admins and engineers don't know how to do things like set up SPNs for Kerberos authentication, which I'm sure is why NTLM is allowed by default.

Re:WebDAV used much?

[blincoln]

The system-wide WebDAV isn't required. Exchange installs its own, separate WebDAV components, which are.

See:

http://support.microsoft.com/kb/309508/ [microsoft.com] ("Exchange 2000 components use Web Distributed Authoring and Versioning (WebDAV) and other Hypertext Transfer Protocol (HTTP) verbs that are not allowed by the default configuration [of the IIS Lockdown and URLScan tools].")

http://windowsitpro.com/article/articleid/38396/critical-webdav-vulnerability-are-your-exchange-servers-safe.html [windowsitpro.com] ("You can't disable WebDAV on your Exchange 2000 servers because OWA 2000 depends on WebDAV")

and

http://windowsitpro.com/article/articleid/45356/deciding-if-and-how-to-disable-webdav-access.html [windowsitpro.com] ("If you're trying to disable Exchange 2003's DAV implementation, be aware that Outlook Web Access (OWA) and several other Exchange components depend on DAV. By blocking specific DAV verbs at the network level (through a firewall) or by installing URLScan, you will break the Exchange DAV implementation."). This last article specifically mentions the separate DAV DLLs for Exchange.

Re:WebDAV used much?

[blincoln]

Note 1: see this Microsoft article [microsoft.com] for the official documentation.

Note 2: I suspect that "Negotiate" might actually mean "use the operating-system-level security configurations of the client and the server to determine which protocol is acceptable", so that in order to truly *force* Kerberos you might also have to disallow all varieties of NTLM in the security policy for the server. That's just a guess though.