Security hole in IIS 6.0
A WebDAV vulnerability in Microsoft's Internet Information Server 6.0 (IIS) allows attackers to access password-protected directories and download and even upload arbitrary files. According to a report, the access isn't limited to WebDAV folders: the vulnerability affects all the directories controlled by the web server. It is caused by a flaw in the processing of unicode characters.
Nicolaos Rangos, who discovered the hole, reports that a request with a header like the following example, prompts the IIS to return a protected file from a regular folder without any authentication:
GET /..%c0%af/protected/protected.zip HTTP/1.1
In this example, the slash "/" is encoded as the %c0%af unicode character; the security function apparently overlooks this and consequently grants access to /protected/protected.zip. The Translate: f option activates the WebDAV function for regular directories. It is, however, not possible to download ASP scripts this way, unless the server has explicitly been enabled to return source code.
According to Rangos, an attack on the WebDAV folder is slightly more complex, but does enable the attacker to upload as well as download:
PROPFIND /protec%c0%afted/ HTTP/1.1
<?xml version="1.0" encoding="utf-8"?>
WebDAV is not enabled by default. Those who have activated it should disable it, or deny remote accesses from the internet until further information and a solution to this problem have become available.
A similar hole in IIS was discovered in IIS 4 and 5 in 2000. The security expert Thierry Zoller has compared the old hole and this new hole in his blog.
- IIS6 + webdav and unicode rides again in 2009.
- IIS 6 + Webdav auth bypass and data upload, a report from Thierry Zoller.