Yesterday, Microsoft issued Security Bulletin MS03-007 (Unchecked Buffer In Windows Component Could Cause Web Server Compromise) regarding a serious problem in the Microsoft IIS WWW Distributed Authoring and Versioning (WebDAV) component when running on Windows 2000 systems. The problem stems from a buffer overflow condition that could let a remote intruder execute code on the server, which could lead to a server compromise. The problem doesn't affect Windows XP or Windows NT systems.
Describing the problem, the company said "WebDAV \[is\] a set of extensions to the Hyper Text Transfer Protocol (HTTP) that provides a standard for editing and file management between computers on the Internet. A security vulnerability is present in a Windows component used by WebDAV and results because the component contains an unchecked buffer. An attacker could exploit the vulnerability by sending a specially formed HTTP request to a machine running IIS. The request could cause the server to fail or to execute code of the attacker's choice."
Users that have installed Microsoft's URLScan tool for IIS are protected against intrusion from this latest vulnerability, unless they've modified the URLScan configuration in a manner that wouldn't catch excessively long URLs. Microsoft published the article "MS03-007: How to Work Around the Vulnerability That Is Discussed in Microsoft Knowledge Base Article 815021" regarding this matter. The article describes several ways to disable WebDAV or limit buffer sizes in IIS. The article includes a link to a Buffer Size Registry Tool, which users can run to modify the registry keys associated with IIS buffers. The article also describes the keys that you need to change if users want to modify the registry manually.
On Friday, Russ Cooper posted a message to the NTBugTraq mailing list stating that Mark and David Litchfield of NGSSoftware had discovered variable ways to exploit such an attack on IIS systems, and that based on knowledge Cooper has about the matter, disabling WebDAV would not stop variant attacks, and that the only way to prevent variant attacks is to load the patch immediately.
