Key Links

IISAnswers Newsletter

IISTraining.com
hands-on, fast track, up-to-date training on IIS 5 and 6

IIS Lists
moderated email discussions on IIS related topics

IIS Boards
online IIS bulletin boards

About Brett Hill

Advertising Info
if you're interested in reaching thousands of IIS administrators.

Privacy Statement

IISAnswers Articles

About MS03-007
- by Brett Hill

Update: This vulnerability is critical and all Windows 2000 operating system must be patched. The initial attack vector was reported as WebDAV via IIS but other vectors exist and will be exploited. Apply this hot fix immediately. Read the MS bulletin.

This article is a reprint of an IISAnswers newsletter bulletin that contains a summary of details that emerged 3/17/03 regarding the IIS vulnerability MS03-007. Many thanks to those who participated in the discussion on the IIS 5 list at www.iislists.com and to some Microsoft folks who were very responsive to my questions.

In addition to the following information, there are some reports of blue screens after installing the patch. Here are the details from the newly updated bulletin:

"We've assessed this issue and now know that it only occurs under a specific set of circumstances. A series of Windows 2000 hotfixes that were only available through Product Support Services and were issued between December 2001 and February 2002 were incompatible with the patch for this vulnerability. Customers who are running one of those 12 hotfixes on Windows 2000 Service Pack 2 will experience a stop error on reboot after applying this patch. More information on how to determine if you have installed a hotfix that is incompatible with this patch is available in the Addition Information section under Caveats. "

************************************************
* IIS Answers Bulletin
* Critical WebDAV vulnerability
* Requires Urgent Action on Windows 2000
* Follow-up
************************************************

I've spent most of the day tracking the issues around MS03-007 (http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-007.asp and http://support.microsoft.com/default.aspx?scid=kb;en-us;815021) on the IIS 5 list at www.iislists.com and in private discussion.

Here's a quick summary plus the answers to the questions left open in this morning's bulletin.

As I understand it, this vulnerability is actually not a WebDAV vulnerability, but is in NTDLL.DLL, a core operating system component. The exploit is accessed through WebDAV. Denying access to WebDAV disables the HTTP vector to reach the problem component, but does not fix the problem. While at this moment, the only method to exploit the buffer overflow I know about is through HTTP/WebDAV, there may be other means that are not known or not announced. This should not be underestimated.

Consequently, the only fix is patching the server.

Even so, all servers are not equally at risk. If some one were asking me to create a prioritized list, I would rate them as follows in this order: Windows 2000 operating systems that run:

1. IIS with WebDAV enabled

2. IIS with WebDAV disabled

3. IIS not installed

I cannot overstate the importance of patching all Windows 2000 operating systems regardless of their relationship to IIS and WebDAV.

In order to assess immediate risk, you need to know if WebDAV is disabled or not. But don't spend time trying to figure this out if you don't know, patch the server(s) instead.

URLSCAN Methods

The significant settings for preventing access to this exploit with URLScan are to deny the TRANSLATE verb and limit the length of the URL to less than 64K using the MaxURL setting in URLScan 2.5 templates (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/urlscan.asp). Note that this last setting is NOT available to you unless you have upgrade URLScan from the version installed with the Lockdown tool to version 2.5. If you make a change in URLScan.ini, you need to restart IIS. You do not need to reboot.

Non URLScan Methods

WebDAV control

WebDAV access is disallowed when you have ACL'd HTTPEXT.DLL such that it cannot be executed as mentioned in http://support.microsoft.com/default.aspx?kbid=307934 or http://support.microsoft.com/default.aspx?kbid=291845. This will be the case if you ran the IIS Lockdown tool and selected to Disable WebDAV.

Also or alternately, you can use the registry setting HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\DisableWebDAV

(set to 1) to turn off webdav on the system.

Limit length of Client Headers

This particular exploit evidently requires over 65K be sent from the client to the server in the initial HTTP request to the server. Microsoft is recommending configuring the old HKLM\SYSTEM\CurrentControlSet\Services\w3svc\parameters

MaxClientRequestBuffer to limit the size of the request that can be sent to IIS from the client (KB 260694) I've stopped using this setting since URLScan came along, but for those of you who can't use URLScan, this is a good way to improve defense. See the Security Bulletin for MS03-007 and the just posted http://support.microsoft.com/default.aspx?scid=kb;en-us;816930 for advice about configuring MaxClientRequestBuffer