Microsoft and administrators alike are learning in the worst possible way about a newly discovered buffer overrun vulnerability in the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol that sets a standard (RFC 2518) for Web-based editing and for file management. The vulnerability has exposed many Windows 2000 systems to attack.
What’s the worst way to learn about a vulnerability? By having customer systems penetrated before you are even aware that there is a threat, and that’s just what happened recently when customers began to tell Microsoft about this IIS Web server problem based on actual attacks, as opposed to theoretical tests and proof-of-concept demonstrations by security vendors.
The problem lies in the way Windows 2000 handles unusually long data strings passed to the WebDAV component. This data is normally passed to the Ntdll.dll component, but this WebDAV implementation doesn’t handle the long string properly, resulting in a buffer overrun. If the system is also running IIS, an attacker can run arbitrary code.
Here are several key sources for additional details on this flaw:
This vulnerability affects Windows 2000 systems only. It affects all versions of Windows 2000, since they all use IIS 5.0. WebDAV is installed by default on a Windows 2000 Server installation. In Windows 2000 Professional systems, it is not installed by default.
According to Microsoft, this vulnerability does not affect Windows XP (IIS 5.1) or Windows NT 4.0 (IIS 2.0-4.0) systems.
The exploit for this flaw, which allows attackers to run the code of their choice, is already circulating on the Internet. Successful attacks have already been reported. Therefore, administrators need to patch this vulnerability as soon as possible.
Fix—apply the patch provided by Microsoft
Microsoft Security Bulletin MS 03-007 has a link to the latest version of the patch. MS 03-007 also reports that using URLScan (which is a part of the IIS Lockdown Tool) will protect systems, but there are no details on how or why. However, there is an extensive discussion of this process in Microsoft Knowledge Base Article 816930. The article describes workarounds that explain:
- How to lock down or disable IIS if your computer does not require it.
- How to disable WebDAV if you do not require it.
- How to use the URL Buffer Size Registry tool.
- How to manually change the MaxClientRequestBuffer registry value if you require WebDAV.
- How to manually create a MaxClientRequestBuffer registry file for a single computer if you require WebDAV.
- How to deploy the MaxClientRequestBuffer registry file through Active Directory by using a Group Policy object.
Mark Burnett of IISSecurity.info has also created a detailed write-up for NTBugtraq subscribers describing the steps you can take to block this attack.
This is an extremely critical threat because there was none of the advanced warning we usually see for newly discovered vulnerabilities before attacks begin. Microsoft and some unfortunate administrators learned about this new buffer overrun threat by having attackers actually target and penetrate systems. Windows administrators should take action as soon as possible to prevent their systems from being open to the exploit of this vulnerability.