Tool found for WebDAV vulnerability

A computer security company warned on Wednesday that it discovered a new automated tool for exploiting the recently publicized WebDAV vulnerability affecting Microsoft's Windows NT and 2000 operating systems.

Free IT resource Open Source Business Conference (OSBC) May 22-23, 2007 Sponsored by OSBC Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

The availability of an automated attack tool on the Internet may pave the way for a new worm that could take advantage of unpatched systems, raising the stakes for those organizations that have not applied Microsoft's patch, according to a statement from Citadel Security Software.

Microsoft originally disclosed the vulnerability when it released a patch for the problem in March.

WebDAV is a set of extensions to HTTP (Hypertext Transfer Protocol) that allows users to edit and manage files on remote Web servers. The protocol is designed to create interoperable, collaborative applications that facilitate geographically-dispersed "virtual" software development teams.

An unchecked buffer in a core Windows component, ntdll.dll, could enable an attacker to cause a buffer overflow on the machine running IIS, according to the Microsoft Security bulletin MS03-007. (See http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-007.asp.)

The vulnerability allows attackers to mount a denial of service (DoS) attack against Windows 2000 machines or execute their own malicious code in the security context of the Internet Information Server (IIS) service, giving them unfettered access to the vulnerable system, Microsoft said.

At the time the bulletin was released, Microsoft and Internet Security Systems Inc. were aware of at least one attack against a Microsoft customer that used the heretofore unknown WebDAV vulnerability, though no automated tools to take advantage of the vulnerability existed.

With the help of an automated tool, even technically unsophisticated attackers, or "script kiddies," could launch such attacks on a wide scale, according to Chris Wysopal, director of research and development at @stake Inc. in Cambridge, Mass.

Such automated tools often appear soon after new vulnerabilities and exploits become known within the malicious hacking community, following a progression from simple 'proof of concept' exploits to more sophisticated attacks and then to automated attacks, Wysopal said.

Automated tools often build on the work of others, adding functionality for automatically scanning ranges of Internet addresses for vulnerable hosts and graphical user interfaces that make it easy to compromise large numbers of vulnerable machines, even with no understanding of how the exploits work, according to Wysopal.

"Once you get to that point, [automated tools] can be turned into a worm. That's the point where it's at now," he said.

The transition from automated tool to worm could be short, with the "guts" of the automated tool married to code that enables the attack to reproduce itself independent of the attacker, Wysopal said.

"There's enough code circulating out there that any moderately competent programmer could put together a worm," he said. "It's knitting at this point. You know what to do, it just takes a certain amount of time to do it."

That, coupled with a critical and remotely executable vulnerability on public-facing Web servers poses a significant threat for organizations that haven't patched vulnerable Windows servers, according to Wysopal.

Attacks could come in the form of malformed WebDAV requests to a machine running IIS version 5.0. Because WebDAV requests typically use the same port as other Web traffic (Port 80), attackers would only need to be able to establish a connection with the Web server to exploit the vulnerability, Microsoft said.

Also on Wednesday, Microsoft provided an updated patch for the WebDAV vulnerability that covers Windows NT 4.0.

The Redmond, Wash.-based company knew in March that the vulnerable ntdll.dll component existed in NT 4.0 in addition to Windows 2000. However, NT 4.0 does not support WebDAV and was not vulnerable to attack, so no patch for that platform was supplied at that time, Microsoft said.

Microsoft could not immediately comment on whether the decision to supply a patch for the NT 4.0 platform means that systems running that operating system are also vulnerable to exploitation by the new vulnerability.

Citadel, Microsoft and others strongly recommend that customers using IIS version 5.0 on Windows 2000 or Windows NT apply the patch at the earliest possible opportunity.