Microsoft iis webdav directory list vulnerability

Note that this issue affects IIS versions prior to 7. A remote attacker may be able to bypass the access restrictions and list, download, upload and modify protected files. We are currently unaware of a practical solution to this problem.

Please consider the following workarounds:. Please see Microsoft Security Advisory for further mitigation information. Microsoft Security Advisory has been released to address this issue.

Sponsored by CISA. The trick with 5. This also works on IIS 6. I modified the script so that it uses the 5. Now for the fun part. If you havent turned on some funky cold medina yet, get to it because we're almost done! First thing we need to do is find a vulnerable server. I just happen to know of a Windows box in my lab running IIS 6. Lets see how an nmap scan of this box with the updated script works out:.

So now we know the server has WebDAV enabled and that there are three vulnerable folders. Now we could do everything by telnet-ing over port 80, but that's not much fun believe me, it's very tedious! Now cadaver itself is a great little command line WebDAV client but I quickly realized it has a bunch of problems that won't let us do what we wanted. The nice thing about FOSS is that it's open, so we grabbed the cadaver Check the patch itself for the gritty details but basically it does the following:.

So, grab the cadaver Here's the commands:. Now we should have a patched, compiled version of cadaver, so start it up with the server that was identified as having a vulnerable folder earlier:.

Now just cd into the vulnerable folder and check out what's there:. Also, this patched cadaver will not work for browsing regular WebDAV folders non-vulnerable , so don't try. If anyone has been able to successfully exploit this on IIS 5. At least then we'll have something. Goku: That method does not seem to work reliably. You can also just reinstall over top, but that's not as helpful and can cause a few problems. Hello Matt, my Y!

I tried it on IIS 6. It was configured like that: we created a vhost based on a folder browsable by everyone, which contains some txt files accessible only by administrator. I can browse the folder and its content with a common browser, but when I try to list its content using your patched cadaver, it returns no files, like the folder is empty.

That should give you the detailed information to solve these issues. I'm getting the same results in our lab. I can also browse the contents with a common browser and see there is a file there, but using cadaver patched and not patched it does not show the file. Getting the file works with the patched cadaver , but I'll take a look in a little bit and see what the browser is doing differently than cadaver and try to replicate that in the cadaver patch.

The instructions are all available in this thread, especially in Matt's post -- I don't think we can do much more to help you. Looks like one does not simply unicode his way into mordor! I've successfully been able to upload a phpfile to a webdav server with authentication. That'll tell Nmap to use the current directory for its datafiles, not the system directory. It's important to run that before you run Nmap from a non-system folder.

This security update addresses the vulnerability described in Microsoft Security Advisory The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually.

For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update at the earliest opportunity using update management software, or by checking for updates using the Microsoft Update service. See also the section, Detection and Deployment Tools and Guidance , later in this bulletin.

The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected.

To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle. Where are the file information details? Refer to the reference tables in the Security Update Deployment section for the location of the file information details. Why does this update address several reported security vulnerabilities? This update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files.

Instead of having to install several updates that are almost the same, customers need to install this update only. I am using an older release of the software discussed in this security bulletin.

What should I do? The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. To determine the support life cycle for your software release, visit Microsoft Support Lifecycle.

It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. For more information about the extended security update support period for these software versions or editions, visit Microsoft Product Support Services. Customers who require custom support for older releases must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options.

Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit Microsoft Worldwide Information , select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the June bulletin summary.

For more information, see Microsoft Exploitability Index.