Microsoft Windows 2000 WebDAV / ntdll.dll Buffer Overflow Vulnerability
Microsoft has released Security Bulletin MS03-007, which outlines a previously unreported vulnerability present in the Microsoft Windows 2000 operating system and is exploitable through the IIS WebDAV component. The vulnerability is a buffer overflow condition, which is known to be exploitable through Microsoft IIS, but does not require Microsoft IIS to be enabled in order to be exploitable.
IIS, if installed, implements World Wide Web Distributed Authoring and Versioning (WebDAV) in the Microsoft Windows 2000 operating system. IIS is installed by default on the Windows 2000 Server and Advanced Server, but is not installed by default on Windows 2000 Professional.
The WebDAV protocol is documented in RFC 2518 and provides a standard for Web-based editing and file management. A buffer overflow vulnerability is present in a Microsoft Windows 2000 core component used by WebDAV. WebDAV does not perform sufficient bounds checking on data passed to a particular system component.
When unusually long data is supplied to the WebDAV component, it is, in turn, passed to the vulnerable ntdll.dll system component. The ntdll.dll fails to perform sufficient bounds checking on this data, allowing a buffer to be overrun. This could result in the execution of arbitrary code in the context of the IIS service, which is LocalSystem, by default.
Microsoft Windows 2000
We strongly encourage administrators to apply the vendor-specific-supplied fixes provided below. Patches may be installed on Windows 2000 systems, running either Service Pack 2 or Service Pack 3.
All versions of Windows 2000, except Japanese NEC patch:
Windows 2000 Japanese NECE version patch:
Symantec Enterprise Firewall, Symantec VelociRaptor, and Symantec Gateway Security
All currently supported versions protect Microsoft 2000 IIS servers against this recently announced WebDAV exploit. The HTTPd module that provides full application inspection for HTTP and WebDAV protocols strictly enforces the HTTP 1.0 and 1.1 RFCs. By default, the HTTPd module is configured to deny the WebDAV protocol with the option to enable WebDAV functionality. Microsoft 2000 IIS servers are also protected when the WebDAV functionality is enabled on the HTTPd module. Patches or configuration changes to HTTPd are not required to protect against this exploit.
Note: Although the Symantec Gateway Security appliance (as well as Symantec VelociRaptor and Symantec Enterprise Firewall) already blocks this threat at the application layer of the firewall, Symantec Gateway Security has also posted a signature to detect the specific exploit in its IDS portion.
Symantec Enterprise Security Manager
The Symantec Enterprise Security Manager OS Patch Policy will detect the presence of the Microsoft patch that prevents the Windows 2000 WebDAV Buffer Overflow Vulnerability.
Symantec Intruder Alert
The Symantec Intruder Alert policy contains a rule that detects attempts to overflow the ntdll.dll system component of WebDAV.
Symantec NetProwler 3.5.1 Security Update 24 includes detection for this vulnerability.
Symantec ManHunt Protocol Anomaly Detection technology detects this specific exploit as "HTTP Malformed URL." Although ManHunt can detect the exploit with the Protocol Anomaly Detection technology, a custom rule that can be used in the Hybrid mode function for exactly identifying the exploit follows.
To specifically detect this threat as IIS_Webdav_Exploit, Symantec recommends that users of the Symantec ManHunt product activate the HYBRID MODE function and apply the following custom rule:
#Variables need to be set dependent on the users network.
#Below are examples on how to set variables.
#For more information see Symantec ManHunt
#Administrative Guide: Appendix A.
var HTTP_PORTS 80
alert tcp any any -> any $HTTP_PORTS (msg:"IIS_Webdav_Exploit";
content:"NNNNaaaa?cjjs HTTP/"; nocase; content:"Translate|3a| f";
nocase; reference:CAN-2003-0109; reference:BID 7116;)
For more information on creating the custom signatures, refer to the "Symantec ManHunt Administrative Guide: Appendix A Custom Signatures for HYBRID Mode."
We recommend administrators and users to follow the aforementioned steps to protect their systems. Symantec Security Response does not supply virus definitions to detect any existing exploit tools for this vulnerability, as detecting such tools is not sufficient enough to prevent attacks on vulnerable computers. This exploit tool is also known as Rolark.
Copyright (c) 2003 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from firstname.lastname@example.org.
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.