Signature Detail
Short Name |
HTTP:IIS:WEBDAV:SEARCH-OF |
|---|---|
Severity |
Critical |
Recommended |
No |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
IIS WebDAV SEARCH Command URL Overflow |
Release Date |
2003/04/22 |
Update Number |
1213 |
Supported Platforms |
di-5.3+, idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+ |
HTTP: IIS WebDAV SEARCH Command URL Overflow
This signature detects attempts to exploit a known vulnerability against Microsoft IIS WebDAV. Attackers can send a maliciously crafted WebDAV URL request to the Web server to overflow the buffer and execute arbitrary code as the system account.
Extended Description
The Windows library ntdll.dll includes a function that does not perform sufficient bounds checking. The vulnerability is present in the function "RtlDosPathNameToNtPathName_U" and may be exploited through other programs that use the library if an attack vector permits it. One of these programs is the implementation of WebDAV that ships with IIS 5.0. The vector allows for the vulnerability in ntdll.dll to be exploited by a remote attacker. Several other library functions which call the vulnerable ntdll.dll procedure have been identified. Administrators are advised to patch as other attack vectors are likely to surface. ** Microsoft has revised its advisory to state that this vulnerability affects Windows NT systems. As Windows NT does not support WebDAV, exploits using WebDAV as the attack vector will not be effective against Windows NT systems. Windows XP does not also include WebDAV by default, but other attack vectors may be possible, especially in cases where the attacker has interactive access to the system. WebDAV may be installed by a user on Windows XP with IIS 5.1, so WebDAV may be a possible means of exploitation in these circumstances. ** Reports suggest that numerous hosts have been scanned in an attempt to exploit this vulnerability. Although unconfirmed, this may be the result of a system of automated attacks. ** It has been reported that this vulnerability is also present in the "RtlGetFullPathName_U" function. The supplied Microsoft patch (Q815021) also corrects this function. ** It has been reported that the W32.Welchia.Worm, described in MCID 1811, is actively exploiting this vulnerability.
Affected Products
- Cisco Broadband Troubleshooter
- Cisco Building Broadband Service Manager (BBSM) 5.1.0
- Cisco Building Broadband Service Manager (BBSM) 5.2.0
- Cisco Building BroadBand Service Manager Hotspot 1.0.0
- Cisco Call Manager 1.0.0
- Cisco Call Manager 2.0.0
- Cisco Call Manager 3.0.0
- Cisco Call Manager 3.1.0
- Cisco Call Manager 3.1.0 (2)
- Cisco Call Manager 3.1.0 (3a)
- Cisco Call Manager 3.2.0
- Cisco Call Manager 3.3.0
- Cisco Call Manager 3.3.0 (3)
- Cisco Call Manager
- Cisco CiscoWorks VPN/Security Management Solution
- Cisco Collaboration Server
- Cisco Conference Connection
- Cisco Customer Response Application Server
- Cisco DOCSIS CPE Configurator
- Cisco Dynamic Content Adapter
- Cisco E-Mail Manager
- Cisco Emergency Responder
- Cisco Intelligent Contact Manager 5.0.0
- Cisco Intelligent Contact Manager
- Cisco Internet Service Node
- Cisco IP Contact Center Enterprise
- Cisco IP Contact Center Express
- Cisco IP Telephony Environment Monitor
- Cisco IP/VC 3540 Application Server
- Cisco IP/VC 3540 Video Rate Matching Module
- Cisco Lan Management Solution
- Cisco Media Blender
- Cisco Networking Services for Active Directory
- Cisco Network Registar
- Cisco Personal Assistant
- Cisco QoS Policy Manager
- Cisco Routed Wan Management
- Cisco Secure Access Control Server 3.2.1
- Cisco Secure Policy Manager 3.0.1
- Cisco Secure Scanner
- Cisco Service Management
- Cisco Small Network Management Solution
- Cisco SN 5420 Storage Router 1.1.0 (2)
- Cisco SN 5420 Storage Router 1.1.0 (3)
- Cisco SN 5420 Storage Router 1.1.0 (4)
- Cisco SN 5420 Storage Router 1.1.0 (5)
- Cisco SN 5420 Storage Router 1.1.0 (7)
- Cisco SN 5420 Storage Router 1.1.3
- Cisco SN 5428 Storage Router SN5428-2-3.3.1-K9
- Cisco SN 5428 Storage Router SN5428-2-3.3.2-K9
- Cisco SN 5428 Storage Router SN5428-2.5.1-K9
- Cisco SN 5428 Storage Router SN5428-3.2.1-K9
- Cisco SN 5428 Storage Router SN5428-3.2.2-K9
- Cisco SN 5428 Storage Router SN5428-3.3.1-K9
- Cisco SN 5428 Storage Router SN5428-3.3.2-K9
- Cisco Trailhead
- Cisco Transport Manager
- Cisco Unity Server 2.0.0
- Cisco Unity Server 2.1.0
- Cisco Unity Server 2.2.0
- Cisco Unity Server 2.3.0
- Cisco Unity Server 2.4.0
- Cisco Unity Server 2.46.0
- Cisco Unity Server 3.0.0
- Cisco Unity Server 3.1.0
- Cisco Unity Server 3.2.0
- Cisco Unity Server 3.3.0
- Cisco Unity Server 4.0.0
- Cisco Unity Server
- Cisco uOne Enterprise Edition
- Cisco User Registration Tool
- Cisco Voice Manager
- Cisco VPN/Security Management Solution
- Cisco Wireless Lan Solution Engine
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP3
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP3
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP3
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP3
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows XP 64-bit Edition SP1
- Microsoft Windows XP 64-bit Edition
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
References
- BugTraq: 7116
- CERT: CA-2003-09
- CVE: CVE-2003-0109
- URL: http://www.microsoft.com/technet/security/bulletin/ms03-007.asp
- URL: http://www.cert.org/advisories/CA-2003-09.html