MS03-007 - Unchecked Buffer (WebDav Protocol-IIS)

[Steven]

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------

Title: Unchecked Buffer In Windows Component Could Cause

Server Compromise (815021)

Released: 17 Mar 2003

Revised: 23 Apr 2003 (version 2.0)

Software: Microsoft ® Windows ® NT 4.0 and Windows 2000

Impact: Run code of attacker's choice

Max Risk: Critical

Bulletin: MS03-007

Microsoft encourages customers to review the Security Bulletin

at: http://www.microsoft.com/technet/security/...in/MS03-007.asp

http://www.microsoft.com/security/security...ns/ms03-007.asp

- ----------------------------------------------------------------------

Reason for Revision:

====================

Microsoft originally released this security bulletin on March 17,

2003. At that time, Microsoft was aware of a publicly available

exploit that was being used to attack Windows 2000 Servers

running IIS 5.0. The attack vector in this case was WebDAV

although the underlying vulnerability was in a core operating

system component, ntdll.dll. Microsoft issued a patch to protect

Windows 2000 customers shortly afterwards, but also continued to

investigate the underlying vulnerability. Windows NT 4.0 also

contains the underlying vulnerability in ntdll.dll, however it

does not support WebDAV and therefore the known exploit was not

effective against Windows NT 4.0. Microsoft has now released a

patch for Windows NT 4.0.

Issue:

======

Microsoft Windows 2000 supports the World Wide Web Distributed

Authoring and Versioning (WebDAV) protocol. WebDAV, defined in

RFC 2518, is a set of extensions to the Hyper Text Transfer

Protocol (HTTP) that provide a standard for editing and file

management between computers on the Internet. A security

vulnerability is present in a Windows component used by WebDAV

and results because a core operating system component, ntdll.dll,

contains an unchecked buffer.

An attacker could exploit the vulnerability by sending a

specially formed HTTP request to a machine running Internet

Information Server (IIS). The request could cause the server to

fail or to execute code of the attacker's choice. The code would

run in the security context of the IIS service (which, by

default, runs in the LocalSystem context).

Although Microsoft has supplied a patch for this vulnerability

and recommends all affected customers install the patch

immediately, additional tools and preventive measures have been

provided that customers can use to block the exploitation of

this vulnerability while they are assessing the impact and

compatibility of the patch. These temporary workarounds and

tools are discussed in the "Workarounds" section in the FAQ

below.

Mitigating Factors:

====================

- -URLScan, which is a part of the IIS Lockdown Tool will block

this attack in its default configuration.

- -The vulnerability can only be exploited remotely if an attacker

can establish a web session with an affected server.

Risk Rating:

============

- Critical

Patch Availability:

===================

- A patch is available to fix this vulnerability. Please read the

Security Bulletins at

http://www.microsoft.com/technet/security/...in/ms03-007.asp

http://www.microsoft.com/security/security...ns/ms03-007.asp

for information on obtaining this patch.

- ---------------------------------------------------------------------

Edited April 24, 2003 by xStainDx

[Steven]

This patch has been updated as of today, For NT4.0 Customers, a Patch is now availible.