Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1353
HistoryMar 11, 2001 - 12:00 a.m.

Security Bulletin MS01-016

2001-03-1100:00:00
vulners.com
15
JSON

Title: Malformed WebDAV Request Can Cause IIS
to Exhaust CPU Resources
Date: 08 March 2001
Software: IIS 5.0
Impact: Denial of Service
Bulletin: MS01-016

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-016.asp.

Issue:

WebDAV is an extension to the HTTP protocol that allows remote
authoring and management of web content. In the Windows 2000
implementation of the protocol, IIS 5.0 performs initial processing
of all WebDAV requests, then forwards the appropriate commands to the
WebDAV process. However, a flaw exists in the way WebDAV handles a
particular type of malformed request. If a stream of such requests
were directed at an affected server, it would consume all CPU
availability on the server.

Because the discoverer of this vulnerability has chosen to publish
code to exploit this vulnerability before a patch could be developed,
Microsoft has developed a workaround that can be used to defend
against attack. Knowledge Base article Q241520 provides step-by-step
instructions for changing the permissions on the .DLL that provides
WebDAV services in order to effectively disable it on the machine.
When a patch is available, we will re-release this bulletin and
provide updated information.

Microsoft recommends that customers consider applying the workaround
to any servers running IIS 5.0. Although this obviously includes web
servers, other services, notably Exchange 2000, may also require that
IIS 5.0 be enabled.

Mitigating Factors:

  • The effect of an attack via this vulnerability would be temporary.
    The
    server would automatically resume normal service as soon as the
    malformed
    requests stopped arriving.

  • The vulnerability does not provide an attacker with any capability
    to
    carry out WebDAV requests.

  • The vulnerability does not provide any capability to compromise
    data on
    the server or gain administrative control over it.

Patch Availability:

Please read the Security Bulletin
http://www.microsoft.com/technet/security/bulletin/ms01-016.asp
for more information on this vulnerability.

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.

JSON