Microsoft is investigating new public reports of a possible vulnerability in Microsoft Internet Information Services (IIS). An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests.
An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication.
Microsoft is not aware of attacks that are trying to use this vulnerability or of customer impact at this time. They are investigating the public reports and upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
- File system ACLs are enforced. This vulnerability bypasses the IIS configuration that specifies which authentication is allowed, but not the file system-based ACL check that verifies whether a file is accessible by a given user. A successful exploit of the vulnerability would still restrict the attacker to the permissions granted to the anonymous user account on file system ACL level. Therefore this vulnerability cannot be used to exceed the level of access granted to the anonymous user account through file system ACLs. The default anonymous user account is configured as the IUSR_
- The anonymous user account is denied write access by default. In order to successfully exploit this vulnerability with write access, the anonymous user account would need to have write access ACLs set within the IIS folder structure. However, by default, the anonymous user account only has read access ACLs set. On IIS 6.0, there is an explicit deny ACE for the default anonymous user account. Unless overridden by the administrator, this deny ACE will be inherited by all children under the default Web site root.
- WebDAV is not enabled by default on IIS 6.0. On Windows Server 2003 systems running IIS 6.0, WebDAV is not enabled in the default configuration. Unless WebDAV has been enabled by an administrator on these systems, the vulnerability is not exposed.