This site uses advanced css techniques
In May 2009, a vulnerability in Microsoft's Internet Information Service's WebDAV was discovered, one which allows unauthenticated remote access to the server. Security researcher Thierry Zoller published a detailed analysis of it: this is a serious vulnerability which is reported to be experiencing exploits in the wild.
The vulnerability allows a remote anonymous user to bypass authentication checks and access the system in ways not intended for anonymous users: systems are getting hacked with this, and it's important to assess your local security posture and take steps to mitigate exposures that are discovered.
Microsoft published information on this in their Security Advisory (971492), but we found their guidance confusing for users who were not IIS experts. While researching what each of the pieces meant, we decided to create this Tech Tip with a simple flowchart that will help rapidly get to the "not vulnerable" stage if that's indeed the case.
Most systems are likely not vulnerable, but unless the flowchart below leads to "You are not vulnerable", we strongly recommend seeking local expertise to help assess your situation properly.
WebDAV is Web-based Distributed Authoring and Versioning, an extension to the HTTP protocol to allow for remotely managing content on a webserver. Though the HTTP protocol does define GET, PUT, and DELETE methods, these are not sufficient for proper remote authoring (for instance, HTTP provides no method for creating a remote directory).
These extensions are general enough to use a webserver as repository for remote folders: Microsoft's "Web Folders" extension to Windows Explorer implemented this in a way that allowed for mostly-native access to a remote web repository as if it were a local folder right from the Windows desktop.
It performs mostly the same functions that FTP does for publishing content, though a bit more efficiently and with features more in line with web publishing than FTP. FTP has always been a somewhat problematic protocol with respect to firewalls, and WebDAV has none of those issues (though WebDAV is reported to have its own issues with proxies).
WebDAV extends, not replaces the existing HTTP protocols, and a WebDAV-enabled server simply responds to a larger command set. This is best illustrated with this table showing the method names for the base HTTP protocol, WebDAV Extensions, and additional extensions supported by Microsoft.
Note that it's not necessary to understand the particulars here, but we feel that putting a new technology in context makes it easier to see where it fits in the big picture: consider it FYI-only.
|HTTP||GET||Retrieves a resource (such as a web page) from the server, possible with a small amount of parameter data in the form of a query. This is the most common HTTP method.|
|POST||Retrieves a resource with a possibly large number of submitted parameters. This is commonly used by a web browser.|
|HEAD||Identical to a GET request, but returns just the HTTP headers and not the body of the message.|
|DELETE||Attempts to delete a resources; not commonly used by a browser|
|PUT||Uploads a version of a document; not commonly used by browsers.|
|Not commonly used.|
|WebDAV||PROPFIND||Used to retrieve properties, stored as XML, from a resource. It is also overloaded to allow one to retrieve the collection structure (a.k.a. directory hierarchy) of a remote system.|
|PROPPATCH||Used to change or delete ("patch") multiple properties on a resource in a single atomic act.|
|MKCOL||Used to create collections (example: a directory).|
|COPY||Used to copy a resource from one URI to another.|
|MOVE||Used to move a resource from one URI to another.|
|LOCK||Used to put a lock on a resource. WebDAV supports both shared and exclusive locks.|
|UNLOCK||To remove a lock from a resource.|
| WebDAV w/
|BCOPY||Batched version of COPY|
|BDELETE||Batched version of DELETE|
|BMOVE||Batched version of MOVE|
|BPROPFIND||Batched version of PROPFIND|
|BPROPPATCH||Batched version of PROPPATCH|
If you're running any version of IIS with WebDAV enabled, you're possibly vulnerable, but if WebDAV is not enabled, you're certainly not. To help determine if you have anything to worry about, we've prepared this flowchart to help you figure it out for yourself, though it's geared to the more common case of "for sure not vulnerable".
NOT SURE: Your version of IIS is determined by the version of the operating system you're running (from Microsoft KB224609).
You're either possibly vulnerable or not vulnerable.
Unfortunately, the answer here is "that depends".
If the webserver is exposed to the Internet, this is the highest risk: there are known exploits floating about, and auto-hack bots are just a matter of time.
For internal-only sites (such as an Intranet), the risk is likely lower, but it doesn't go beyond the pale to imagine malware will scan internal sites. It's almost certainly lower risk.
Until Microsoft offers more detailed guidance and/or a patch, about the only thing one can do is disable WebDAV: this will probably break functionality unless WebDAV was enabled without a good reason, and it's not possible to tell from here just what kind of impact that will make on the application(s) that require it.
It may well be that the only real choice is to disable it and live with the breakage rather than risk getting hacked. Again, this is something a local security expert can provide guidance on.
If you've determined that you really must disable it temporarily until better fixes or workarounds surface, these steps should help guide you.
This depends entirely on the application, and we don't have much guidance on this, but expect to find it as this information is spread.
Microsoft has specifically said that SharePoint and Outlook Web Access are not vulnerable to this (they use different implementations of WebDAV). Reference: Microsoft blog posting
We can also check a server via the network by testing the extensions that WebDAV uses and checking the response; this tells us if it's implemented or not.
These examples use the telnet command from a local Linux box: though it works from the same command on Windows, that platform won't echo what you type so it's much harder to tell what you're typing.
In each case, what you type is in red, with the "HTTP/1.1" response indicating whether it's supported or not. We're not looking for a success or fail, but the type of failure: "not implemented" means WebDAV is not supported, and anything else says it is supported and we've provided an incomplete method.
$ telnet myserver6 80 Trying 172.27.217.8... Connected to myserver6.unixwiz.lan. Escape character is '^]'. PROPFIND / HTTP/1.0 (blank line) HTTP/1.1 501 Not Implemented «— WebDAV not enabled Content-Length: 0 Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Wed, 20 May 2009 18:10:05 GMT Connection: close Connection closed by foreign host.
$ telnet myserver6 80 Trying 172.27.217.8... Connected to myserver6.unixwiz.lan. Escape character is '^]'. PROPFIND / HTTP/1.0 (blank line) HTTP/1.1 411 Length Required «— WebDAV enabled Connection: close Date: Wed, 20 May 2009 18:10:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html Content-Length: 50 <body><h2>HTTP/1.0 411 Length Required</h2></body>Connection closed by foreign host.
$ telnet myserver5 80 Trying 192.168.16.13... Connected to myserver5.unixwiz.lan (192.168.16.13). Escape character is '^]'. PROPFIND / HTTP/1.0 (blank line) HTTP/1.1 501 Not Supported «— WebDAV not enabled Server: Microsoft-IIS/5.0 Date: Thu, 21 May 2009 05:17:14 GMT Content-Type: text/html Content-Length: 121 <html><head><title>Method Not Supported</title></head> <body><h1>The specified method is not supported</h1></body></html>Connection closed by foreign host.
$ telnet myserver5 80 Trying 192.168.1.13 Connected to myserver5.unixwiz.lan (192.168.16.13). Escape character is '^]'. PROPFIND / HTTP/1.0 (blank line) HTTP/1.1 411 Length Required «— WebDAV enabled Server: Microsoft-IIS/5.0 Date: Thu, 21 May 2009 05:13:27 GMT X-Powered-By: ASP.NET Content-Type: text/html Content-Length: 50 <body><h2>HTTP/1.0 411 Length Required</h2></body>Connection closed by foreign host.
Finding that WebDAV is not implemented is the same as navigating through the IIS manager to check the web extension for IIS6, or for checking the registry setting of IIS5.
We expect that some safe WebDAV vulnerability scanners will be available soon, and will include them here once known.
First published: 26 May 2009 (blogged)