Published:
08 March 2001
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2001.107 -- Microsoft Security Bulletin MS01-016
Malformed WebDAV Request Can Cause IIS to Exhaust CPU Resources
9 March 2001
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IIS 5.0
Vendor: Microsoft
Impact: Denial of Service
Access Required: Remote
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - ----------------------------------------------------------------------
Title: Malformed WebDAV Request Can Cause IIS
to Exhaust CPU Resources
Date: 08 March 2001
Software: IIS 5.0
Impact: Denial of Service
Bulletin: MS01-016
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-016.asp.
- - ----------------------------------------------------------------------
Issue:
======
WebDAV is an extension to the HTTP protocol that allows remote
authoring and management of web content. In the Windows 2000
implementation of the protocol, IIS 5.0 performs initial processing
of all WebDAV requests, then forwards the appropriate commands to the
WebDAV process. However, a flaw exists in the way WebDAV handles a
particular type of malformed request. If a stream of such requests
were directed at an affected server, it would consume all CPU
availability on the server.
Because the discoverer of this vulnerability has chosen to publish
code to exploit this vulnerability before a patch could be developed,
Microsoft has developed a workaround that can be used to defend
against attack. Knowledge Base article Q241520 provides step-by-step
instructions for changing the permissions on the .DLL that provides
WebDAV services in order to effectively disable it on the machine.
When a patch is available, we will re-release this bulletin and
provide updated information.
Microsoft recommends that customers consider applying the workaround
to any servers running IIS 5.0. Although this obviously includes web
servers, other services, notably Exchange 2000, may also require that
IIS 5.0 be enabled.
Mitigating Factors:
====================
- The effect of an attack via this vulnerability would be temporary.
The
server would automatically resume normal service as soon as the
malformed
requests stopped arriving.
- The vulnerability does not provide an attacker with any capability
to
carry out WebDAV requests.
- The vulnerability does not provide any capability to compromise
data on
the server or gain administrative control over it.
Patch Availability:
===================
- A patch is currently under development and will be released
shortly. In
the meantime, Knowledge Base article Q241520
(http://www.microsoft.com/technet/support/kb.asp?ID=241520)
provides a workaround that can be used to protect against this
vulnerability.
Please read the Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms01-016.asp
for more information on this vulnerability.
- - ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.
- -----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQEVAwUBOqgEso0ZSRQxA/UrAQEfuAf7B/9Ba0KygUxx4GYoPaNQu6mmwlJ7nQy1
firxtPeQPSaNriq8mHKPPh1lvWrlSX0iCaIA4UP7bS7By94NBAwGB4h0vmcmwAvT
bL0U0bPJZRPeRs7OQpkztzOLUlmCbvHHK7QoHhQ+QY7TmNzM6uXjXJ/jVJZVPZpo
a3gKPrRyR0gXPzN2g10i4rHMKGROe+yRWmQvTh4lRXMATD0d59H5me1MvVbGSa5W
pNnKbeOZPpphQVMIqjZflNaLko7ccUjL4Wu/ldNUl31bQGdZkB2izoqieuhwU1mQ
F2wfVzLkBmQF+CLooFtzurX9FVvTbwOys3ZPVWitZILUL3dvmbs+RQ==
=zZRX
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOqj/Fyh9+71yA2DNAQEDRwQAhycfwhYUOQHG3jXVU8DrHFA6EaCEKCkW
EcmjkebWs9htqV5sivuLLCWaISDwOJijqaMpwcQeG+IEYFdwLwXrpHAioUCl9ORC
tjBqDke4Gl4XgDAFkIKLkWNNwRKg1mFgAlRpmjlNbbOO741rohQ9yt8KBirUjzXK
r0exnC+RTIw=
=1SPV
-----END PGP SIGNATURE-----