MS IIS WebDAV Information Disclosure

May 28, 2009

Microsoft Internet Information Server (IIS) is a collection of Internet service packages. It provides Web Server, FTP Server, SMTP Server services and so on. The Web Server service is equipped with the Active Server Pages (ASP) technology which is utilized for dynamic content generation.

IIS supports Web Distributed Authoring and Versioning (WebDAV), an extension set of the HTTP protocol, which allows user to manage files on a Web server, such as creating file, reading files or modifying files. Locking/protection, extended document properties, name space management, and resource collections are included as important features in WebDAV protocol.

The WebDAV extension introduces a new HTTP request header, "Translate". If the value of this header starts with "f", the request is for a file, rather than the evaluation result of a server side script. WebDAV also adds PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK and UNLOCK as HTTP request methods.

WebDAV protocol uses an XML-based data transaction scheme defined in RFC 2518. The following is an example of WebDAV PROPFIND request:

PROPFIND /webdav/abc.txt HTTP/1.1 Depth: 0 User-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600 Host: x.x.x.x Content-Length: 0 Connection: Keep-Alive Pragma: no-cache 

A vulnerability exists in the IIS product when WebDAV extension is enabled. The vulnerability is due to improperly handling of Unicode token '/' (%c0%af) embedded in WebDAV request URIs. The vulnerable code in WebDAV extension will discard the Unicode character '/' and return the required resource without proper credentials, which causes the information disclosed to unauthorized people.

An example of an attack request for a protected file is listed bellow:

GET /%c0%af/webdav/confidential HTTP/1.1 Translate: f Connection: close Host: x.x.x.x 

SonicWALL has created and released an IPS signatures that detect and block generic attack attempts targeting this vulnerability. The following signature addresses this issue:

  • 1466 MS IIS 6.0 WebDAV Information Disclosure 1
  • 1469 MS IIS 6.0 WebDAV Information Disclosure 2
  • 1481 MS IIS 6.0 WebDAV Information Disclosure 3