CERT-MU :Vulnerability

Home | FAQ | Site Map | Contact Us

Hotline : 800 2378

To contact CERT-MU send e-mail on - info[at]cert-mu.gov.mu

To report incident e-mail on - incident[at]cert-mu.gov.mu

Charter & Mission

CERT-MU Services

Constituency

Authority

Incident Reporting

Vulnerability Reporting

World CERTs

Security Sites

Security Tools

Antivirus Resources

Email Abuse

Network Abuse

Authorized to use CERT(TM) - CERT is a mark owned by Carnegie Mellon University

CERT-MU Vulnerability Note VN-2009-14

Remote Authentication Bypass Vulnerability in Microsoft IIS 6.0 WebDAV

Original Issue Date: May 19, 2009

Severity Rating: High

Affected Softwares

Microsoft Internet Information Services 6.0
Microsoft Internet Information Services 5.1
Microsoft Internet Information Services 5.0

Overview

Authentication bypass vulnerability has been reported in Microsoft IIS that could allow a remote attacker to gain unauthorized access to protected WebDAV resources.

Description

Authentication bypass vulnerability in Microsoft Internet Information Service (IIS) could allow remote attackers to bypass access restriction. This vulnerability is caused due to improper handling of user supplied Unicode tokens while parsing the Uniform Resource Identifier ( URI ) and sending back data.

An unauthenticated, remote attacker could exploit this vulnerability by sending crafted HTTP GET requests containing special Unicode characters to the web server for authentication bypass and get access to password protected folders on vulnerable installations of IIS Server 6.0.

Workarounds

Install and Configure URL Scan Security Tool for all incoming requests to the web server to filter maliciously crafted HTTP GET request or URI containing improper Unicode tokens. http://www.microsoft.com/technet/security/tools/urlscan.mspx
Install and configure IIS Lockdown Tool to reduce the attack surface by turning off unnecessary features. http://www.microsoft.com/technet/security/tools/locktool.mspx
Change file system ACLs to deny access to the anonymous user account Microsoft Knowledge Base Article 271071 (http://support.microsoft.com/?id=271071)
Microsoft Knowledge Base Article 812614 (http://support.microsoft.com/kb/812614/)
Disable WebDAV functionality if not required on the web server.

CVE Name

CVE-2009-1535

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/advisory/971492.mspx

References

SecurityFocus
http://www.securityfocus.com/bid/34993

VUPEN Security
http://www.vupen.com/english/advisories/2009/1330

AusCERT
http://www.auscert.org.au/render.html?it=11001

Milw0rm
http://milw0rm.com/sploits/2009-IIS-Advisory.pdf

CERT-In
http://www.cert-in.org.in/knowledgebase/guidelines/cisg-2006-01.htm