MS IIS WebDAV Information Disclosure (May 28, 2009)

Microsoft Internet Information Server (IIS) is a collection of Internet service packages. It provides Web Server, FTP Server, SMTP Server services and so on. The Web Server service is equipped with the Active Server Pages (ASP) technology which is utilized for dynamic content generation.

IIS supports Web Distributed Authoring and Versioning (WebDAV), an extension set of the HTTP protocol, which allows user to manage files on a Web server, such as creating file, reading files or modifying files. Locking/protection, extended document properties, name space management, and resource collections are included as important features in WebDAV protocol.

The WebDAV extension introduces a new HTTP request header, “Translate”. If the value of this header starts with “f”, the request is for a file, rather than the evaluation result of a server side script. WebDAV also adds PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK and UNLOCK as HTTP request methods.

WebDAV protocol uses an XML-based data transaction scheme defined in RFC 2518. The following is an example of WebDAV PROPFIND request:

PROPFIND /webdav/abc.txt HTTP/1.1 Depth: 0 User-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600 Host: x.x.x.x Content-Length: 0 Connection: Keep-Alive Pragma: no-cache 

A vulnerability exists in the IIS product when WebDAV extension is enabled. The vulnerability is due to improperly handling of Unicode token ‘/’ (%c0%af) embedded in WebDAV request URIs. The vulnerable code in WebDAV extension will discard the Unicode character ‘/’ and return the required resource without proper credentials, which causes the information disclosed to unauthorized people.

An example of an attack request for a protected file is listed bellow:

GET /%c0%af/webdav/confidential HTTP/1.1 Translate: f Connection: close Host: x.x.x.x 

SonicWALL has created and released an IPS signatures that detect and block generic attack attempts targeting this vulnerability. The following signature addresses this issue:

• 1466 MS IIS 6.0 WebDAV Information Disclosure 1
• 1469 MS IIS 6.0 WebDAV Information Disclosure 2
• 1481 MS IIS 6.0 WebDAV Information Disclosure 3

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.