|
|
|
|
| |
Microsoft Windows 2000 supports the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol. WebDAV, defined in RFC 2518, is a set of extensions to the Hyper Text Transfer Protocol (HTTP) that provide a standard for editing and file management between computers on the Internet. A security vulnerability is present in a Windows component used by WebDAV, Ntdll.dll, and results because the component contains an unchecked buffer.
An attacker could exploit the vulnerability by sending a specially formed HTTP request to a machine running Internet Information Server (IIS). The request could cause the server to fail or to execute code of the attacker's choice. The code would run in the security context of the IIS service (which, by default, runs in the LocalSystem context).
Although Microsoft has supplied a patch for this vulnerability and recommends all affected customers install the patch immediately, additional tools and preventive measures have been provided which customers can use to block the exploitation of this vulnerability while they are assessing the impact and compatibility of the patch. These temporary workarounds and tools are discussed in the "Workarounds" section in the FAQ below. |
| |
Credit:
The information has been provided by Microsoft Product Security.
|
| |
Affected Software:
* Microsoft Windows 2000
Mitigating factors:
* URLScan, which is a part of the IIS Lockdown Tool will block this attack in its default configuration
* The vulnerability can only be exploited remotely if an attacker can establish a web session with an affected server
Patch availability:
Download locations for this patch Microsoft Windows 2000:
The patch for Windows 2000 is available at the following location:
* All except Japanese NEC
* Japanese NEC
Why has Microsoft changed the information in the Caveats section of this bulletin?
Microsoft was made aware that some customers who had received a HotFix from Product Support Services experienced stop errors on boot after applying the patch released for this bulletin.
Microsoft has assessed this issue and now knows that it only occurs under a specific set of circumstances. A series of Windows 2000 HotFixes that were only available through Product Support Services and were issued between December 2001 and February 2002 were incompatible with the patch for this vulnerability. Customers who are running one of those 12 HotFixes on Windows 2000 Service Pack 2 will experience a stop error on reboot after applying this patch. More information on how to determine if you have installed a HotFix that is incompatible with this patch is available in the Addition Information section under Caveats.
Customers who are running Windows 2000 Service Pack 3 or are not running one of these HotFixes will not encounter this problem.
What's the scope of the vulnerability?
This is a buffer-overrun vulnerability. An attacker who successfully exploited this vulnerability could gain complete control over an affected web server. This would give the attacker the ability to take any desired action on the server, including changing web pages, reformatting the hard drive or adding new users to the local administrators group.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer in a component of Windows, Ntdll.dll, that can be called using WebDAV. By sending a specially constructed request through WebDAV, an attacker could cause code to run on a web server in the Local System security context.
What is WebDAV?
WebDAV is an industry standard extension to the HTTP specification. The "DAV" in "WebDAV" stands for "distributed authoring and versioning". WebDAV adds a capability for authorized users to remotely add and manage content on a web server. WebDAV is supported in Windows 2000.
What's wrong with the way IIS 5.0 handles WebDAV requests?
WebDAV uses IIS to pass requests to and from Windows 2000. When IIS receives a WebDAV request, it typically processes the request and then acts on it. However, if the request is formed in a particular way, a buffer overrun can result because one of the Windows components called by WebDAV does not correctly check parameters.
Can the vulnerability be exploited on Windows NT 4.0 through IIS 4.0?
No. WebDAV is not supported in IIS 4.0, so the ability for an attacker to exploit the vulnerability does not exist.
Can the vulnerability be exploited on Windows XP through IIS 5.1?
No. This vulnerability is not present on Windows XP.
If I have confirmed I am not running IIS 5.0 should I still install the patch?
Yes. Disabling or modifying IIS 5.0 will still leave the vulnerable Windows component on the system. All customers running Windows 2000 should install the patch.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by sending a specially formed WebDAV request to a web server running IIS 5.0.
Who could exploit the vulnerability?
Any user who could deliver a WebDAV request to an affected web server could attempt to exploit the vulnerability. Because WebDAV requests travel over the same port as HTTP (normally port 80), this in essence means that any user who could establish a connection with an affected server could attempt to exploit the vulnerability.
What would this allow an attacker to do?
If an attacker were able to run code with Local System privileges on an affected system, the attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges.
How do I know if I am running IIS?
IIS 5.0 is installed by default on all server versions of Windows 2000. It is not installed on Windows 2000 Professional by default.
To check if IIS is installed on your system, carry out the following: Go to "Start | Settings | Control Panel | Administrative Tools | Services". If the "World Wide Web Publishing" service is listed then IIS is installed.
What products does IIS 5.0 ship with?
Internet Information Services 5.0 ships as part of Windows 2000 Datacenter Server, Advanced Server, Server, and Professional.
Does IIS 5.0 run by default?
IIS 5.0 runs by default on all Windows 2000 server products. It does not run by default on Windows 2000 Professional.
Is WebDAV enabled by default on IIS 5.0?
Yes, although it can be disabled by following the steps mentioned in the Workarounds section below.
Workarounds:
Are there any workarounds that can be used to block exploitation of this vulnerability while I am testing or evaluating the patch?
Yes. Although Microsoft urges all customers to apply the patch at the earliest possible opportunity, there are a number of workarounds that can be applied to block the WebDAV request used to exploit this vulnerability in the interim. In addition, Microsoft is providing tools and documentation to deploy these workarounds more easily.
It should be noted that these workarounds should be considered temporary measures as they simply block the path of attack rather than correcting the underlying vulnerability.
The following sections are intended to provide you with information to protect your computer from attack. Each section describes the workarounds that you may wish to use depending on your computer's configuration.
If you do not require IIS on your computer:
IIS can be disabled by running IIS lockdown tool. The IIS lockdown tool is provided at the following location:
http://www.microsoft.com/downloads/release.asp?ReleaseID=43955
Alternatively, you can also remove IIS by performing the steps listed in the following Knowledge Base article:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B321141
If you require IIS but do not need WebDAV enabled:
WebDAV provides a standard for editing and file management between computers on the Internet. If you are not using WebDAV, you can disable it by running the IIS Lockdown tool and specifying to the tool that you do not use WebDAV. You can obtain the IIS Lockdown tool from the following location:
http://www.microsoft.com/downloads/release.asp?ReleaseID=43955
Note that while the IIS Lockdown tool prevents the successful execution of this and many other attacks, it may interfere with the functioning of your web server under certain circumstances. While it is possible to limit your use of the IIS Lockdown tool to disabling WebDAV, you should consider applying all of the lockdown including URLScan. Information on using the IIS lockdown tool is provided at the following location:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;325864
You may also disable WebDAV by following the instructions listed in the Microsoft Knowledge Base article at:
http://support.microsoft.com/default.aspx?scid=kb;en-us;241520
If you require the use of WebDAV on your computer:
There are a number of workarounds that can be applied to block the request used to exploit this vulnerability and retain WebDAV functionality if you are using it.
Customers that cannot deploy the IIS lockdown tool or URLScan to their web servers can restrict the buffer used by IIS to receive the request that can be used to exploit this vulnerability. Microsoft has provided the URL Buffer Size Registry Tool to automatically set the registry key that will restrict the buffer. This tool can be run on Web Servers running Windows 2000 to protect against attacks that would attempt to exploit this vulnerability. The tool can be run locally on the web server to be protected, or it can be applied remotely to multiple web servers by a user who has administrative access to the servers. Information on the URL Buffer Size Registry Tool as well as additional workaround tools is located in the following Knowledge Base Article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;816930
The URL Buffer Size Registry tool can be run on systems running Windows 2000 Service Pack 2 or Service Pack 3. In addition, the registry change can be made manually by following the instructions in the following Knowledge Base article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;260694
Note that Customers should evaluate the maximum buffer size that is practical for their environment and set that maximum value, but in any case, the buffer should be set to size less than 64K bytes. Microsoft recommends 16K as a reasonable value. The value of 16k is the limit that will automatically be set by the URL Buffer Size Registry tool.
URLScan, which is installed by the IIS Lockdown tool, will also block the web request that can be used to exploit this vulnerability. You can obtain the URLScan tool from:
http://www.microsoft.com/technet/security/tools/tools/urlscan.asp
Note that while the IIS Lockdown tool prevents the successful execution of this and many other attacks, it may interfere with the functioning of your web server under certain circumstances. While it is possible to limit your use of the IIS Lockdown tool to installation of URLScan, you should consider applying all of the lockdown including URLScan.
Information on customizing and configuring URLScan can be found at the following location:
http://support.microsoft.com/default.aspx?scid=kb;[LN];326444
Information on using the IIS lockdown tool is provided at the following location:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;325864
What does the patch do?
The patch corrects the issue by changing the method by which the affected Windows component accepts requests.
|
|
|
|
|
|
|
