Microsoft Downplays IIS Bug Threat

← Back to Stories (view on slashdot.org)

Microsoft Downplays IIS Bug Threat

Posted by Soulskill on Wednesday May 20, 2009 @12:53AM from the this-is-not-the-bug-you're-looking-for dept.

snydeq writes "Microsoft confirmed that its IIS Web-server software contains a vulnerability that could let attackers steal data, but downplayed the threat, saying 'only a specific IIS configuration is at risk from this vulnerability.' The flaw, which involves how Microsoft's software processes Unicode tokens, has been found to give attackers a way to view protected files on IIS Web servers without authorization. The vulnerability, exposed by Nikolaos Rangos, could be used to upload files as well. Affecting IIS 6 users who have enabled WebDAV for sharing documents via the Web, the flaw is currently being exploited in online attacks, according to CERT, and is reminiscent of the well-known IIS unicode path traversal issue of 2001, one of the worst Windows vulnerabilities of the past decade."

32 of 114 comments (clear)

Min score:

Reason:

Sort:

'only a specific IIS configuration is at risk' by Jurily · 2009-05-20 00:56 · Score: 5, Funny

The default?
1. Re:'only a specific IIS configuration is at risk' by AliasMarlowe · 2009-05-20 01:13 · Score: 4, Funny
  
  Did they give any configuration which is not at risk?
  
  --
  Those who can make you believe absurdities can make you commit atrocities. - Voltaire
2. Re:'only a specific IIS configuration is at risk' by Jurily · 2009-05-20 01:19 · Score: 4, Funny
  
  Did they give any configuration which is not at risk?
  Yes. it's a hidden one, only attainable by those who see the Light. All hail fdisk!
3. Re:'only a specific IIS configuration is at risk' by Anonymous Coward · 2009-05-20 01:35 · Score: 5, Informative
  
  Only servers with WEBDAV installed are vulnerable. WEBDAV is not installed and configured by default.
  Only IIS 5, 5.1 and 6 are potentially vulnerable under these conditions.
  IIS 7 is not vulnerable even with WEBDAV installed.
4. Re:'only a specific IIS configuration is at risk' by cayenne8 · 2009-05-20 01:51 · Score: 3, Funny
  
  "Only servers with WEBDAV installed are vulnerable. WEBDAV is not installed and configured by default."
  Sounds like you could avoid it by not allowing Unicode either...
  I mean, who really needs 'all' those characters?
  
  --
  Light travels faster than sound. This is why some people appear bright until you hear them speak.........
5. Re:'only a specific IIS configuration is at risk' by Ralish · 2009-05-20 02:00 · Score: 5, Informative
  
  Did they give any configuration which is not at risk?
  Yes, several: More information about the IIS authentication bypass
  
  Worth noting that this only affects IIS 5.x and 6.x, which admittedly, accounts for the huge majority of IIS webservers, but IIS 7.x (Windows Server 2008 and above) are not affected.
6. Re:'only a specific IIS configuration is at risk' by rvw · 2009-05-20 02:33 · Score: 2, Funny
  
  I mean, who really needs 'all' those characters?
  Here on slashdot, we only need one character: Anonymous Coward!
7. Re:'only a specific IIS configuration is at risk' by timbck2 · 2009-05-20 02:35 · Score: 5, Informative
  
  IIRC, WebDAV *is* configured by default on IIS 5. Here's a link to instructions on disabling it (the procedure involves adding a registry value and restarting IIS):
  Microsoft KB Article #241520
  
  --
  Absurdity: A statement or belief manifestly inconsistent with one's own opinion. -- Ambrose Bierce
WebDAV used much? by TranceThrust · 2009-05-20 00:58 · Score: 2, Interesting

Is Microsoft 'correct' in downplaying, in the sense that the particular vulnerable configuration mentioned is not used by many?
1. Re:WebDAV used much? by Shados · 2009-05-20 01:03 · Score: 5, Informative
  
  Yup. You need a fairly specific setup: WebDav enabled on the same application as NTLM authentication (kerberos and anonymous/form is ok as far as I understand), and there must not be anything on top of WebDev for authentication (such as one of the various single signon ISAPIs or a CMS exposing its content through webdav with some form of custom security schemes).
  Since no one in their right mind will have WebDav and NTLM exposed to a public site, then the "hackers" can only come from within in the vast majority of scenarios. Don't get me wrong: that is severe, as most hacking DOES come from within.
  What makes it far more major, is that its one of the extremely rare remotely exploitable vulnerability that IIS6 have had. Contrary to Slashdot beleif, IIS6 (IIS7 more so though) is totally rock solid and extremely secure, so having something like that pop up is quite scary.
2. Re:WebDAV used much? by Anonymous Coward · 2009-05-20 01:09 · Score: 2, Insightful
  
  Since no one in their right mind will have WebDav and NTLM exposed to a public site
  
  Have you ever worked in IT? Things "no one in their right mind" would do happen all the time. People don't want to remember 10 different passwords, so I can easily see people wanting to be able to update the website with their "windows password". I'm betting this configuration is far more common than you might think.
3. Re:WebDAV used much? by blincoln · 2009-05-20 01:56 · Score: 4, Informative
  
  Since no one in their right mind will have WebDav and NTLM exposed to a public site
  They will if they're running Outlook Web Access, and haven't manually disabled NTLM using a command-line vbscript that comes with IIS.
  
  --
  "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
4. Re:WebDAV used much? by 93+Escort+Wagon · 2009-05-20 02:03 · Score: 3, Insightful
  
  Since no one in their right mind will have WebDav and NTLM exposed to a public site, then the "hackers" can only come from within in the vast majority of scenarios.
  You're making the mistake of assuming that most IIS admins know what they're doing. I'm sure most of them think they know what they're doing, but I'm betting this flaw will get exploited from without much more often than you think it will.
  
  --
  #DeleteChrome
5. Re:WebDAV used much? by dbIII · 2009-05-20 02:15 · Score: 2, Funny
  
  IIS6 (IIS7 more so though) is totally rock solid and extremely secure
  Reality just stood up and punched that misconception on the nose.
6. Re:WebDAV used much? by blincoln · 2009-05-20 02:47 · Score: 5, Informative
  
  There is so much wrong with that statement... First if it is a vbscript, it isn't manual and it isn't command-line.
  Do me a favour. Find your IIS root folder (C:\Inetpub by default). Go into the AdminScripts subfolder. Try double-clicking adsutil.vbs and see how well it works running as a GUI app instead of being called from the command line using cscript.
  Also when using Windows Integrated Auth, Kerberos is the default authentication. If Kerberos fails, then it uses NTLM. Unless you can provide a link that says otherwise...
  Kerberos is allowed by default, but so is NTLM. If you want to *disallow* NTLM, you have to do this using the script I mentioned above, and in my original post. The syntax is e.g.:
  cscript -nologo adsutil.vbs SET w3svc/1/root/NTAuthenticationProviders "Negotiate"
  Seems pretty manual to me. But what do I know?
  PS: You can verify this on your IIS install using the GET version of that command. The default is "Negotiate,NTLM" (which is also true if it's not explicitly defined). Most IIS admins and engineers don't know how to do things like set up SPNs for Kerberos authentication, which I'm sure is why NTLM is allowed by default.
  
  --
  "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
7. Re:WebDAV used much? by blincoln · 2009-05-20 05:10 · Score: 4, Informative
  
  The system-wide WebDAV isn't required. Exchange installs its own, separate WebDAV components, which are.
  See:
  http://support.microsoft.com/kb/309508/ ("Exchange 2000 components use Web Distributed Authoring and Versioning (WebDAV) and other Hypertext Transfer Protocol (HTTP) verbs that are not allowed by the default configuration [of the IIS Lockdown and URLScan tools].")
  http://windowsitpro.com/article/articleid/38396/critical-webdav-vulnerability-are-your-exchange-servers-safe.html ("You can't disable WebDAV on your Exchange 2000 servers because OWA 2000 depends on WebDAV")
  and
  http://windowsitpro.com/article/articleid/45356/deciding-if-and-how-to-disable-webdav-access.html ("If you're trying to disable Exchange 2003's DAV implementation, be aware that Outlook Web Access (OWA) and several other Exchange components depend on DAV. By blocking specific DAV verbs at the network level (through a firewall) or by installing URLScan, you will break the Exchange DAV implementation."). This last article specifically mentions the separate DAV DLLs for Exchange.
  
  --
  "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
8. Re:WebDAV used much? by blincoln · 2009-05-20 05:15 · Score: 2, Informative
  
  Note 1: see this Microsoft article for the official documentation.
  Note 2: I suspect that "Negotiate" might actually mean "use the operating-system-level security configurations of the client and the server to determine which protocol is acceptable", so that in order to truly *force* Kerberos you might also have to disallow all varieties of NTLM in the security policy for the server. That's just a guess though.
  
  --
  "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
Subliminal messaging by ZinnHelden · 2009-05-20 01:03 · Score: 2, Insightful

'only a specific IIS configuration is at risk from this vulnerability.'
In my head I keep hearing, "don't use webDAV, use Exchange and SharePoint!"
1. Re:Subliminal messaging by Jurily · 2009-05-20 01:16 · Score: 2, Insightful
  
  In my head I keep hearing, "don't use webDAV, use Exchange and SharePoint!"
  Funny. It sounded like "use software with open standards and secure implementations" to me.
2. Re:Subliminal messaging by ZinnHelden · 2009-05-20 01:26 · Score: 3, Funny
  
  Yeah, I may hear their insane whispering, but I'm not giving up my Citadel server.
Not a typical configuration by jsnipy · 2009-05-20 01:13 · Score: 4, Informative

This is really not a typically configuration for an outward facing site. Acting like this is some great find and "game over" scenario is a little far fetched. "Downplay" is flamebait in this context. But, it does make a good m$ bashing opportunity!

--
-- if you mod me down, I will become more powerful than you can possibly imagine
For more information by itayperl · 2009-05-20 01:16 · Score: 3, Informative

See http://milw0rm.com/exploits/8704.
oblig by Benanov · 2009-05-20 01:16 · Score: 4, Funny

One that isn't installed.
The researcher nixes MS downplaying by Twillerror · 2009-05-20 01:20 · Score: 4, Informative

http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html
Several news stories seem to allude that Microsoft is artificially downplaying the threat, citations of myself are used to underline the headline in an "us against Microsoft" kind of way. I want to clarify that I have the utmost respect of the MSRC team and I don't suspect Microsoft to willingly downplay anything. They also claim I am from Belgium, I am obviously from Luxembourg. The bug also is not the same as the IIS4/5 one, it's root cause is similar. That's about it.
Internal Memo by geoffrobinson · 2009-05-20 01:22 · Score: 5, Funny

To Whom It May Be Concerned:
Warner Bros., in an ill-advised attempt to promote Terminator Salvation, created a Skynet virus which aims to take over the world.
For some reason, it targets IIS.
We're doomed. Please head to the bomb shelter and the world will start again with a base of Microsoft employees.
thank you,
Management

--
Except for ending slavery, the Nazis, communism, & securing American independence, war has never solved anything.
Serious question by Ash-Fox · 2009-05-20 01:47 · Score: 3, Interesting

Serious question, has the Apache package even had any bad vulnerabilities like this in the past ten years?

--
Change is certain; progress is not obligatory.
1. Re:Serious question by dkleinsc · 2009-05-20 02:17 · Score: 2, Informative
  
  For lazy people, about 3 vulnerabilities classified as "Highly" critical, 0 "Extremely", out of a total of around 50 across Apache 1, Apache 2.0.x, and Apache 2.2.x. Of the 50, the vast majority are at least partially fixed.
  It's hard to get a fix on equivalent numbers for IIS, since they all seem to fall under the MS Windows category.
  
  --
  I am officially gone from /. Long live http://www.soylentnews.com/
2. Re:Serious question by Twillerror · 2009-05-20 02:24 · Score: 5, Interesting
  
  Serious answer. Apache is a modular beast and since doesn't get blaimed for modular problems like this.
  There have been issues even bigger in various mods like mod_php.
  Even code red was a problem with Internet printing and not really the core IIS. Maybe IIS should have blocked it and already had URLScan, but ultimately it was just passing a URL along some C++ code that blew up. MS created that .DLL so we can blame MS..but blaiming IIS itself was slightly off.
  The core of both IIS and Apache have been pretty well hardened. Hence why WebDav is turned off in IIS 6. Even .ASP has to be turned on during setup.
  MS puts out it's own mods essentially...where Apache would have a different team working on WebDAV. If the same "exploit" was found in mod_webdav who could we really blame. Yell at the Apache foundation...no we would professionally fix the issue. Maybe some flaimbaiters on the other side would yell..."see open source is less secure".
  Softwares has bugs, some of them are security related. When open source creates them they are presented as bugs...when MS creates them it is some kind of great conspiracy to rule the world. Some guy just like you wrote this bad code and is probably feeling like crap today. Some tester let it get thru and is feeling really crappy today. A bunch of dudes in at both MS and the rest of the security community are pulling up their britches and getting it fixed...move along nothing to really see here.
Re:Are they big enough? by x2A · 2009-05-20 01:49 · Score: 2, Insightful

Anything Microsoft related on Slashdot forums is automatically flamebait because of the emotional reactions the mere word 'Microsoft' triggers in so many Slashdotters which makes it unpossible to have a proper serious, well thought out debate. Just look at the replies it's getting. It's pathetic huh.

--
The revolution will not be televised... but it will have a page on Wikipedia
It's not a big deal by SlappyBastard · 2009-05-20 01:53 · Score: 5, Funny

Anyone using the exploit is prompted repeatedly about whether they really, really want to do it.
Geez. Don't you people know anything about Windows security?

--
I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
Re:ISS bug by Ash-Fox · 2009-05-20 01:59 · Score: 2, Funny

Nasa downplays ISS bug.
Fortunately they have got a Russian on board the space station.
"This is how we fix things on Russian space station!" --Lev Andropov
(He then proceeds to take a hammer and whack the equipment.)

--
Change is certain; progress is not obligatory.
This is another Unicode hole by spitzak · 2009-05-20 06:05 · Score: 2, Interesting

It sounds like the basic cause is something attempting to translate a string into "unicode" before using it.
For some reason, normally intelligent programmers turn into complete morons when presented with UTF-8 and other Unicode encodings. They become convinced that it is somehow physically impossible to do anything to these strings without first finding all the "characters" (actually Unicode code points, which are not "characters") and will write pages and pages of elaborate and bug-prone code to do this and "count characters". This code is COMPLICATED and there is the basic fact that the mapping is often not 1:1 and even when it is different implementations vary and thus don't invert correctly. This causes bugs, nasty ones like you can see right. here.
In fact it would be trivial to just treat it as a string of bytes that happens to maybe represent some text. The ONLY time you need "characters" is when you are rendering the string into an image that humans will look at, and if you want to do semantic analysis such as grammar checking. It is not needed if you are looking for the period that starts the extension or trying to find a number.
What is really sad and mysterious is that this disease only seems to be triggered by UTF-8. Nobody worries about finding the boundaries between "words". Nobody seems to worry about UTF-16 surrogate pairs, and nobody was really concerned with older Japanese multi-byte encodings.
This is NOT Microsoft-specific so don't feel complacent. Microsoft's moronic decision to name files with UTF-16 is really bad, but witness open source Python 3.0 which has decided that all strings will have to be converted to "unicode" (acutally UTF-16 or UTF-32 depending on the platform) before anything is done to them. Python is heavily used to parse HTML and URLs and I expect a huge mess from this stupid idea.
I'm sure there will be a few responses claiming some magical property of "characters" so that you can't do anything about it. PLEASE, try some thought experiments. Try substituting "words" in your example, it will either be stupid, or you will realize that that only a tiny portion of software needs it. Go and write some code where you leave the strings in UTF-8 and maybe you will learn.