Tool found for WebDAV vulnerability

A computer security company warned on Wednesday that it discovered a new automated tool for exploiting the recently publicized WebDAV vulnerability affecting Microsoft's Windows NT and 2000 operating systems.

The availability of an automated attack tool on the Internet may pave the way for a new worm that could take advantage of unpatched systems, raising the stakes for those organizations that have not applied Microsoft's patch, according to a statement from Citadel Security Software.

Microsoft originally disclosed the vulnerability when it released a patch for the problem in March.

WebDAV is a set of extensions to HTTP (Hypertext Transfer Protocol) that allows users to edit and manage files on remote Web servers. The protocol is designed to create interoperable, collaborative applications that facilitate geographically-dispersed "virtual" software development teams.

An unchecked buffer in a core Windows component, ntdll.dll, could enable an attacker to cause a buffer overflow on the machine running IIS, according to the Microsoft Security bulletin MS03-007. (See http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur....)

The vulnerability allows attackers to mount a denial of service (DoS) attack against Windows 2000 machines or execute their own malicious code in the security context of the Internet Information Server (IIS) service, giving them unfettered access to the vulnerable system, Microsoft said.

At the time the bulletin was released, Microsoft and Internet Security Systems Inc. were aware of at least one attack against a Microsoft customer that used the heretofore unknown WebDAV vulnerability, though no automated tools to take advantage of the vulnerability existed.

With the help of an automated tool, even technically unsophisticated attackers, or "script kiddies," could launch such attacks on a wide scale, according to Chris Wysopal, director of research and development at @stake Inc. in Cambridge, Mass.

Such automated tools often appear soon after new vulnerabilities and exploits become known within the malicious hacking community, following a progression from simple 'proof of concept' exploits to more sophisticated attacks and then to automated attacks, Wysopal said.

Automated tools often build on the work of others, adding functionality for automatically scanning ranges of Internet addresses for vulnerable hosts and graphical user interfaces that make it easy to compromise large numbers of vulnerable machines, even with no understanding of how the exploits work, according to Wysopal.

"Once you get to that point, [automated tools] can be turned into a worm. That's the point where it's at now," he said.

The transition from automated tool to worm could be short, with the "guts" of the automated tool married to code that enables the attack to reproduce itself independent of the attacker, Wysopal said.