Does this site look plain?

This site uses advanced css techniques

Steve Friedl's Unixwiz.net Tech Tips

Understanding Microsoft's KB971492 IIS5/IIS6 WebDAV Vulnerability

• Home
• Contact
• About
• TechTips
• Tools&Source
• Evo Payroll
• CmdLetters
• Research
• AT&T 3B2
• Advisories
• News/Pubs
• Literacy
• Calif.Voting
• Personal
• Tech Blog
• Evo Blog

In May 2009, a vulnerability in Microsoft's Internet Information Service's WebDAV was discovered, one which allows unauthenticated remote access to the server. Security researcher Thierry Zoller published a detailed analysis of it: this is a serious vulnerability which is reported to be experiencing exploits in the wild.

The vulnerability allows a remote anonymous user to bypass authentication checks and access the system in ways not intended for anonymous users: systems are getting hacked with this, and it's important to assess your local security posture and take steps to mitigate exposures that are discovered.

Microsoft published information on this in their Security Advisory (971492), but we found their guidance confusing for users who were not IIS experts. While researching what each of the pieces meant, we decided to create this Tech Tip with a simple flowchart that will help rapidly get to the "not vulnerable" stage if that's indeed the case.

Most systems are likely not vulnerable, but unless the flowchart below leads to "You are not vulnerable", we strongly recommend seeking local expertise to help assess your situation properly.

What is WebDAV?

WebDAV is Web-based Distributed Authoring and Versioning, an extension to the HTTP protocol to allow for remotely managing content on a webserver. Though the HTTP protocol does define GET, PUT, and DELETE methods, these are not sufficient for proper remote authoring (for instance, HTTP provides no method for creating a remote directory).

These extensions are general enough to use a webserver as repository for remote folders: Microsoft's "Web Folders" extension to Windows Explorer implemented this in a way that allowed for mostly-native access to a remote web repository as if it were a local folder right from the Windows desktop.

WebDAV is commonly used by web authoring systems, such as Adobe's Dreamweaver or Microsoft's Expression Web (followon to Frontpage), to publish information to the webserver.

It performs mostly the same functions that FTP does for publishing content, though a bit more efficiently and with features more in line with web publishing than FTP. FTP has always been a somewhat problematic protocol with respect to firewalls, and WebDAV has none of those issues (though WebDAV is reported to have its own issues with proxies).

WebDAV extends, not replaces the existing HTTP protocols, and a WebDAV-enabled server simply responds to a larger command set. This is best illustrated with this table showing the method names for the base HTTP protocol, WebDAV Extensions, and additional extensions supported by Microsoft.

Note that it's not necessary to understand the particulars here, but we feel that putting a new technology in context makes it easier to see where it fits in the big picture: consider it FYI-only.

protocol	method	description
HTTP	GET	Retrieves a resource (such as a web page) from the server, possible with a small amount of parameter data in the form of a query. This is the most common HTTP method.
	POST	Retrieves a resource with a possibly large number of submitted parameters. This is commonly used by a web browser.
	HEAD	Identical to a GET request, but returns just the HTTP headers and not the body of the message.
	DELETE	Attempts to delete a resources; not commonly used by a browser
	PUT	Uploads a version of a document; not commonly used by browsers.
	OPTIONS TRACE CONNECT	Not commonly used.
WebDAV	PROPFIND	Used to retrieve properties, stored as XML, from a resource. It is also overloaded to allow one to retrieve the collection structure (a.k.a. directory hierarchy) of a remote system.
	PROPPATCH	Used to change or delete ("patch") multiple properties on a resource in a single atomic act.
	MKCOL	Used to create collections (example: a directory).
	COPY	Used to copy a resource from one URI to another.
	MOVE	Used to move a resource from one URI to another.
	LOCK	Used to put a lock on a resource. WebDAV supports both shared and exclusive locks.
	UNLOCK	To remove a lock from a resource.
WebDAV w/ Microsoft Extensions	BCOPY	Batched version of COPY
	BDELETE	Batched version of DELETE
	BMOVE	Batched version of MOVE
	BPROPFIND	Batched version of PROPFIND
	BPROPPATCH	Batched version of PROPPATCH

How do I know if I'm vulnerable or not?

If you're running any version of IIS with WebDAV enabled, you're possibly vulnerable, but if WebDAV is not enabled, you're certainly not. To help determine if you have anything to worry about, we've prepared this flowchart to help you figure it out for yourself, though it's geared to the more common case of "for sure not vulnerable".

1. Are you running Windows?

• NO STOP, you're not vulnerable.
• YES: You may or may not be vulnerable; go to next step

2. Does your OS ship with IIS5.x or IIS6?

• NO STOP, you're not vulnerable
• YES: You may or may not be vulnerable; go to next step

• NOT SURE: Your version of IIS is determined by the version of the operating system you're running (from Microsoft KB224609).

  You're either possibly vulnerable or not vulnerable.

  • 1.0 - Windows NT Server 3.51 (no WebDAV)
  • 2.0 - Windows Server 4.0 (no WebDAV)
  • 3.0 - Windows Server 4.0 SP3 (no WebDAV)
  • 4.0 - Windows Server 4.0 (no WebDAV)
  • 5.0 - Windows 2000
  • 5.1 - Windows XP x86
  • 6.0 - Windows XP x64
  • 6.0 - Windows Server 2003
  • 7.0 - Server 2008 and Vista (WebDAV not vulnerable)

3. Is IIS installed and running?

• NO STOP, you're not vulnerable
• YES: You may or may not be vulnerable; go to next step
• NOT SURE: Check the Services applet in the Control Panel, looking for the World Wide Web Publishing Service as shown to the right.
  • If it's missing: STOP: you are not vulnerable.
  • If the Startup Type is Disabled or Manual and is not Started; STOP: you're probably not vulnerable as long as it's remains not-Running.
  • It's marked Automatic or is in Started state; you may be vulnerable, go to the next step.

4. How do I tell if I have WebDAV installed and/or enabled?

IIS5.x — WebDAV is installed and enabled by default; you're possibly vulnerable if IIS is running. Disabling WebDAV (discussed later) requires a custom registry setting that's unlikely to have been configured previously.

IIS6 — WebDAV is always installed, but disabled by default; it's also easy to check the status of this extension.

• Navigate to Start » Administrative Tools
• Launch Internet Information Services (IIS) Manager
  
• Expand the Local Computer entry
• Click on Web Services Extensions on the left
• Look for WebDAV in the panel on the right:
  • If it's not present, STOP: you're not vulnerable
  • If it's present but marked Prohibited, STOP: you're not vulnerable
  • If it's marked "Allowed", you're possibly vulnerable

5. So far I think I'm vulnerable - am I really?

Probably not.

This checklist was designed to help you find the surely-not-vulnerable case easily and reliably, but there are still additional more technical conditions required to actually be vulnerable. These are not generally default settings, so it would have required some explicit and intentional settings to take effect.

The details of how to research this are beyond the scope of this paper, though they are mostly likely to apply to sites that already have substantial local expertise in IIS (to have set the non-default settings in the first place).

If you have WebDAV enabled and have any doubt about the above conditions being true for you, seek professional guidance. This may be from your web development or IT department, a competent local consultant, or a support forum.

This is especially important if your site holds high-value or confidential data (especially if it's privacy related) - a number of web sites are getting some unwanted publicity after being compromised by this problem, and it's better to be safe than sorry.

I'm vulnerable — What do I do?

Unfortunately, the answer here is "that depends".

If the webserver is exposed to the Internet, this is the highest risk: there are known exploits floating about, and auto-hack bots are just a matter of time.

For internal-only sites (such as an Intranet), the risk is likely lower, but it doesn't go beyond the pale to imagine malware will scan internal sites. It's almost certainly lower risk.

Until Microsoft offers more detailed guidance and/or a patch, about the only thing one can do is disable WebDAV: this will probably break functionality unless WebDAV was enabled without a good reason, and it's not possible to tell from here just what kind of impact that will make on the application(s) that require it.

It may well be that the only real choice is to disable it and live with the breakage rather than risk getting hacked. Again, this is something a local security expert can provide guidance on.

How do I disable WebDAV?

If you've determined that you really must disable it temporarily until better fixes or workarounds surface, these steps should help guide you.

IIS 5.x

WebDAV is always installed and enabled on IIS5, so the systems are probably vulnerable out of the box. Unlike IIS6, IIS5 requires mucking with the registry to disable WebDAV:

• Microsoft KB 241520 — How to disable WebDAV for IIS 5.x

You must restart IIS to make this change take effect.

IIS 6

Using the same IIS Manager you used to check the WebDAV status, you can disable it too. If WebDAV is "Allowed", simply right-click on the extension and click "Prohibit".

This will immediately disable the WebDAV functionality; no restart of IIS is required.

What will this break?

This depends entirely on the application, and we don't have much guidance on this, but expect to find it as this information is spread.

Microsoft has specifically said that SharePoint and Outlook Web Access are not vulnerable to this (they use different implementations of WebDAV). Reference: Microsoft blog posting

Web protocol check

We can also check a server via the network by testing the extensions that WebDAV uses and checking the response; this tells us if it's implemented or not.

These examples use the telnet command from a local Linux box: though it works from the same command on Windows, that platform won't echo what you type so it's much harder to tell what you're typing.

In each case, what you type is in red, with the "HTTP/1.1" response indicating whether it's supported or not. We're not looking for a success or fail, but the type of failure: "not implemented" means WebDAV is not supported, and anything else says it is supported and we've provided an incomplete method.

Checking IIS6

$ telnet myserver6 80
Trying 172.27.217.8...
Connected to myserver6.unixwiz.lan.
Escape character is '^]'.
PROPFIND / HTTP/1.0
(blank line)

HTTP/1.1 501 Not Implemented          «— WebDAV not enabled
Content-Length: 0
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 20 May 2009 18:10:05 GMT
Connection: close

Connection closed by foreign host.

$ telnet myserver6 80
Trying 172.27.217.8...
Connected to myserver6.unixwiz.lan.
Escape character is '^]'.
PROPFIND / HTTP/1.0
(blank line)

HTTP/1.1 411 Length Required          «— WebDAV enabled
Connection: close
Date: Wed, 20 May 2009 18:10:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html
Content-Length: 50

<body><h2>HTTP/1.0 411 Length Required</h2></body>Connection closed by foreign host.

Checking IIS5

$ telnet myserver5 80
Trying 192.168.16.13...
Connected to myserver5.unixwiz.lan (192.168.16.13).
Escape character is '^]'.
PROPFIND / HTTP/1.0
(blank line)

HTTP/1.1 501 Not Supported	           «— WebDAV not enabled
Server: Microsoft-IIS/5.0
Date: Thu, 21 May 2009 05:17:14 GMT
Content-Type: text/html
Content-Length: 121

<html><head><title>Method Not Supported</title></head>
<body><h1>The specified method is not supported</h1></body></html>Connection closed by foreign host.

$ telnet myserver5 80
Trying 192.168.1.13
Connected to myserver5.unixwiz.lan (192.168.16.13).
Escape character is '^]'.
PROPFIND / HTTP/1.0
(blank line)

HTTP/1.1 411 Length Required          «— WebDAV enabled
Server: Microsoft-IIS/5.0
Date: Thu, 21 May 2009 05:13:27 GMT
X-Powered-By: ASP.NET
Content-Type: text/html
Content-Length: 50

<body><h2>HTTP/1.0 411 Length Required</h2></body>Connection closed by foreign host.

Finding that WebDAV is not implemented is the same as navigating through the IIS manager to check the web extension for IIS6, or for checking the registry setting of IIS5.

We expect that some safe WebDAV vulnerability scanners will be available soon, and will include them here once known.

References

• Microsoft IIS 6.0 WebDAV Remote Authentication Bypass - Advisory — by Kingcope, the researcher who discovered the vulnerability.
• IIS 6 / IIS 5 / IIS 5.1+ Webdav auth bypass — Advisory by Thierry Zoller, security researcher who analyzed the vulnerability in detail.
• RFC 2616 - HTTP Protocol
• RFC 4918 - WebDAV Protocol
• Microsoft Security Advisory (971492) — Vulnerability in Internet Information Services could allow elevation of privilege
• Microsoft KB241520: — How to disable WebDAV for IIS 5.x
• Microsoft KB224609: How to obtain versions of Internet Information Server (IIS)
• Microsoft Security & Defense blog — Answers to the IIS WebDAV authentication bypass questions

---

First published: 26 May 2009 (blogged)