WebDAV Authentication Bypass on IIS 5.0, 5.1 and 6.0

Microsoft has released advisory 971492  about an Elevation of Privilege issue with the WebDAV extension for IIS 5.0, 5.1 and 6.0. These versions of IIS reside on Windows Server 2000, Windows XP and Windows Server 2003 respectively. The advisory contains relevant information for who is affected and what the mitigations and workarounds are. The Microsoft Security Response Center (MSRC) has also release a blog outlining our response and the Security Research & Defense team has a blog outlining technical details.

Here are the key takeaways:

  1. This only affects WebDAV for IIS 5.0, 5.1 and 6.0. It does not affect WebDAV 7.0 for IIS 7.0.
  2. This issue does not affect non-DAV requests to IIS 5.0, 5.1 and 6.0.
  3. WebDAV is not enabled by default on IIS 6.0 and IIS is not installed by default on for WinXP or Win2k3.
  4. File access checks are still enforced on vulnerable systems.
  5. Anonymous user account is explicitly denied write access to default web root folder in default configuration.
  6. Sharepoint, OWA and Exchange have a different implementation of DAV that is unaffected.

The advisory has workarounds on how to protect vulnerable systems. To find out if a system is vulnerable, send the HTTP request below to the root of your site. You can use a tool like WFetch to send out requests to your sites (even SSL protected ones).

REQUEST: **************\n
OPTIONS / HTTP/1.1\r\n
Host: 127.0.0.1\r\n
Accept: */*\r\n
\r\n
RESPONSE: **************\n
HTTP/1.1 200 OK\r\n
Server: Microsoft-IIS/5.0\r\n
Date: Tue, 19 May 2009 20:13:53 GMT\r\n
MS-Author-Via: MS-FP/4.0,DAV\r\n
Content-Length: 0\r\n
Accept-Ranges: none\r\n
DASL: <DAV:sql>\r\n
DAV: 1, 2\r\n
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH\r\n
Allow: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK\r\n
Cache-Control: private\r\n
\r\n


The interesting portions of the response are highlighted in red. To check if WebDAV is enabled and in effect, check the following items in the response.

  1. Need to receive a 2xx response to OPTIONS request made to root of site to analyze the result. If this is not the case, the test is inconclusive.
  2. Response contains the DAV header with value 1,2.
  3. Response contains MS-Author-Via header which contains DAV value.
  4. Response DOES NOT contain X-MSDAVEXT header. Existence of this means its Sharepoint’s DAV, which is a different implementation that is not susceptible to this vulnerability.

No Comments