This site is deprecated. Please
CLICK HERE for latest updates
Short Name |
HTTP:IIS:WEBDAV:COMMAND-OF
|
Severity |
Critical
|
Recommended |
No
|
Recommended Action |
Drop
|
Category |
HTTP
|
Keywords |
IIS5.0 WebDAV Command URL Overflow
|
Release Date |
2009/09/29
|
Update Number |
1518
|
Supported Platforms |
idp-4.0.110090709+, isg-3.1.134269+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+
|
HTTP: IIS5.0 WebDAV Command URL Overflow
This signature detects attempts to exploit a known vulnerability against Microsoft IIS WebDAV. Attackers can send a maliciously crafted WebDAV URL request to the Web server to execute arbitrary code as the system account.
Extended Description
The Windows library ntdll.dll includes a function that does not perform sufficient bounds checking. The vulnerability is present in the function "RtlDosPathNameToNtPathName_U" and may be exploited through other programs that use the library if an attack vector permits it. One of these programs is the implementation of WebDAV that ships with IIS 5.0. The vector allows for the vulnerability in ntdll.dll to be exploited by a remote attacker.
Several other library functions which call the vulnerable ntdll.dll procedure have been identified. Administrators are advised to patch as other attack vectors are likely to surface.
** Microsoft has revised its advisory to state that this vulnerability affects Windows NT systems. As Windows NT does not support WebDAV, exploits using WebDAV as the attack vector will not be effective against Windows NT systems. Windows XP does not also include WebDAV by default, but other attack vectors may be possible, especially in cases where the attacker has interactive access to the system. WebDAV may be installed by a user on Windows XP with IIS 5.1, so WebDAV may be a possible means of exploitation in these circumstances.
** Reports suggest that numerous hosts have been scanned in an attempt to exploit this vulnerability. Although unconfirmed, this may be the result of a system of automated attacks.
** It has been reported that this vulnerability is also present in the "RtlGetFullPathName_U" function. The supplied Microsoft patch (Q815021) also corrects this function.
** It has been reported that the W32.Welchia.Worm, described in MCID 1811, is actively exploiting this vulnerability.
Affected Products
- Cisco broadband_troubleshooter
- Cisco building_broadband_service_manager_(bbsm) 5.1.0
- Cisco building_broadband_service_manager_(bbsm) 5.2.0
- Cisco building_broadband_service_manager_hotspot 1.0.0
- Cisco call_manager 1.0.0
- Cisco call_manager 2.0.0
- Cisco call_manager 3.0.0
- Cisco call_manager 3.1.0
- Cisco call_manager 3.1.0 (2)
- Cisco call_manager 3.1.0 (3a)
- Cisco call_manager 3.2.0
- Cisco call_manager 3.3.0
- Cisco call_manager 3.3.0 (3)
- Cisco call_manager
- Cisco ciscoworks_vpn/security_management_solution
- Cisco collaboration_server
- Cisco conference_connection
- Cisco customer_response_application_server
- Cisco docsis_cpe_configurator
- Cisco dynamic_content_adapter
- Cisco e-mail_manager
- Cisco emergency_responder
- Cisco intelligent_contact_manager 5.0.0
- Cisco intelligent_contact_manager
- Cisco internet_service_node
- Cisco ip_contact_center_enterprise
- Cisco ip_contact_center_express
- Cisco ip_telephony_environment_monitor
- Cisco ip/vc_3540_application_server
- Cisco ip/vc_3540_video_rate_matching_module
- Cisco lan_management_solution
- Cisco media_blender
- Cisco networking_services_for_active_directory
- Cisco network_registar
- Cisco personal_assistant
- Cisco qos_policy_manager
- Cisco routed_wan_management
- Cisco secure_access_control_server 3.2.1
- Cisco secure_policy_manager 3.0.1
- Cisco secure_scanner
- Cisco service_management
- Cisco small_network_management_solution
- Cisco sn_5420_storage_router 1.1.0 (2)
- Cisco sn_5420_storage_router 1.1.0 (3)
- Cisco sn_5420_storage_router 1.1.0 (4)
- Cisco sn_5420_storage_router 1.1.0 (5)
- Cisco sn_5420_storage_router 1.1.0 (7)
- Cisco sn_5420_storage_router 1.1.3
- Cisco sn_5428_storage_router SN5428-2-3.3.1-K9
- Cisco sn_5428_storage_router SN5428-2-3.3.2-K9
- Cisco sn_5428_storage_router SN5428-2.5.1-K9
- Cisco sn_5428_storage_router SN5428-3.2.1-K9
- Cisco sn_5428_storage_router SN5428-3.2.2-K9
- Cisco sn_5428_storage_router SN5428-3.3.1-K9
- Cisco sn_5428_storage_router SN5428-3.3.2-K9
- Cisco trailhead
- Cisco transport_manager
- Cisco unity_server 2.0.0
- Cisco unity_server 2.1.0
- Cisco unity_server 2.2.0
- Cisco unity_server 2.3.0
- Cisco unity_server 2.4.0
- Cisco unity_server 2.46.0
- Cisco unity_server 3.0.0
- Cisco unity_server 3.1.0
- Cisco unity_server 3.2.0
- Cisco unity_server 3.3.0
- Cisco unity_server 4.0.0
- Cisco unity_server
- Cisco uone_enterprise_edition
- Cisco user_registration_tool
- Cisco voice_manager
- Cisco vpn/security_management_solution
- Cisco wireless_lan_solution_engine
- Microsoft windows_2000_advanced_server SP1
- Microsoft windows_2000_advanced_server SP2
- Microsoft windows_2000_advanced_server SP3
- Microsoft windows_2000_advanced_server
- Microsoft windows_2000_datacenter_server SP1
- Microsoft windows_2000_datacenter_server SP2
- Microsoft windows_2000_datacenter_server SP3
- Microsoft windows_2000_datacenter_server
- Microsoft windows_2000_professional SP1
- Microsoft windows_2000_professional SP2
- Microsoft windows_2000_professional SP3
- Microsoft windows_2000_professional
- Microsoft windows_2000_server SP1
- Microsoft windows_2000_server SP2
- Microsoft windows_2000_server SP3
- Microsoft windows_2000_server
- Microsoft windows_2000_terminal_services SP1
- Microsoft windows_2000_terminal_services SP2
- Microsoft windows_2000_terminal_services SP3
- Microsoft windows_2000_terminal_services
- Microsoft windows_nt_enterprise_server 4.0
- Microsoft windows_nt_enterprise_server 4.0 SP1
- Microsoft windows_nt_enterprise_server 4.0 SP2
- Microsoft windows_nt_enterprise_server 4.0 SP3
- Microsoft windows_nt_enterprise_server 4.0 SP4
- Microsoft windows_nt_enterprise_server 4.0 SP5
- Microsoft windows_nt_enterprise_server 4.0 SP6
- Microsoft windows_nt_enterprise_server 4.0 SP6a
- Microsoft windows_nt_server 4.0
- Microsoft windows_nt_server 4.0 SP1
- Microsoft windows_nt_server 4.0 SP2
- Microsoft windows_nt_server 4.0 SP3
- Microsoft windows_nt_server 4.0 SP4
- Microsoft windows_nt_server 4.0 SP5
- Microsoft windows_nt_server 4.0 SP6
- Microsoft windows_nt_server 4.0 SP6a
- Microsoft windows_nt_terminal_server 4.0
- Microsoft windows_nt_terminal_server 4.0 SP1
- Microsoft windows_nt_terminal_server 4.0 SP2
- Microsoft windows_nt_terminal_server 4.0 SP3
- Microsoft windows_nt_terminal_server 4.0 SP4
- Microsoft windows_nt_terminal_server 4.0 SP5
- Microsoft windows_nt_terminal_server 4.0 SP6
- Microsoft windows_nt_workstation 4.0
- Microsoft windows_nt_workstation 4.0 SP1
- Microsoft windows_nt_workstation 4.0 SP2
- Microsoft windows_nt_workstation 4.0 SP3
- Microsoft windows_nt_workstation 4.0 SP4
- Microsoft windows_nt_workstation 4.0 SP5
- Microsoft windows_nt_workstation 4.0 SP6
- Microsoft windows_nt_workstation 4.0 SP6a
- Microsoft windows_xp_64-bit_edition SP1
- Microsoft windows_xp_64-bit_edition
- Microsoft windows_xp_home SP1
- Microsoft windows_xp_home
- Microsoft windows_xp_professional SP1
- Microsoft windows_xp_professional
References