Tool exploits MS WebDAV vulnerability

A computer security company has warned that it discovered a new automated tool for exploiting the recently publicised WebDAV...

A computer security company has warned that it has discovered a new automated tool for exploiting the recently publicised WebDAV vulnerability affecting Microsoft's Windows NT and 2000 operating systems.

The availability of an automated attack tool on the internet may pave the way for a new worm that could take advantage of unpatched systems, according to Citadel Security Software.

Microsoft originally disclosed the vulnerability when it released a patch for the problem in March. 

WebDAV is a set of extensions to HTTP that allows users to edit and manage files on remote web servers. The protocol is designed to create interoperable, collaborative applications that facilitate geographically-dispersed "virtual" software development teams.

An unchecked buffer in a core Windows component, ntdll.dll, could enable an attacker to cause a buffer overflow on the machine running IIS, according to the Microsoft Security bulletin MS03-007.

The vulnerability allows attackers to mount a denial of service (DoS) attack against Windows 2000 machines or execute their own malicious code in the security context of the Internet Information Server (IIS) service, giving them unfettered access to the vulnerable system, Microsoft said.

At the time the bulletin was released, Microsoft and Internet Security Systems were aware of at least one attack against a Microsoft customer that used the previously unknown WebDAV vulnerability.

With the help of an automated tool, even technically unsophisticated attackers, or "script kiddies", could launch such attacks on a wide scale, said Chris Wysopal, director of research and development at @stake.

Such automated tools often appear soon after new vulnerabilities become known within the malicious hacking community, following a progression from simple 'proof of concept' exploits to more sophisticated attacks and then to automated attacks, Wysopal said.

Automated tools often build on the work of others, adding functionality for automatically scanning ranges of internet addresses for vulnerable hosts and graphical user interfaces that make it easy to compromise large numbers of vulnerable machines, said Wysopal.

"Once you get to that point, [automated tools] can be turned into a worm. That's the point where it's at now," he said.

The WebDAV vulnerability tool uses a command line interface rather than a graphical interface, but comes with detailed instructions that describe the command syntax necessary to compromise vulnerable machines, said Kerry Steele, director of vulnerability research and remediation at Citadel.

"This is an automated tool that anyone could use to attack machines on the internet," Steele said.  The tool is currently circulating online within "the underground security community", according to Steele.

"There's enough code circulating out there that any moderately competent programmer could put together a worm," Wysopal said. "It's knitting at this point. You know what to do, it just takes a certain amount of time to do it." 

Steele agreed, saying it would take an experienced computer hacker only a matter of hours to join the self replication code from the SQL Slammer worm to the automated WebDAV exploit tool Citadel uncovered, producing a powerful worm.

That, coupled with a critical and remotely executable vulnerability on public-facing web servers poses a significant threat for organisations that have not patched vulnerable Windows servers, said Wysopal.

Attacks could come in the form of malformed WebDAV requests to a machine running IIS version 5.0. Because WebDAV requests typically use the same port as other web traffic (port 80), attackers would only need to be able to establish a connection with the web server to exploit the vulnerability, Microsoft said.

While organisations affected by the Slammer worm could simply block port 1434, which was used by the worm, those affected by the WebDAV vulnerability could not shut down the port used in an attack without cutting off access to their web page, Steele said.

This week Microsoft provided an updated patch for the WebDAV vulnerability that covers Windows NT 4.0.

The company knew in March that the vulnerable ntdll.dll component existed in NT 4.0 in addition to Windows 2000. However, NT 4.0 does not support WebDAV and was not vulnerable to attack, so no patch for that platform was supplied at that time, Microsoft said.  

Microsoft felt that patching NT 4.0 had become a priority, said Stephen Toulouse, security programme manager at Microsoft's Security Response Center. Attackers could well find other ways than the WebDAV extensions to exploit the ntdll.dll vulnerability, he said.

Citadel, Microsoft and others strongly recommend that customers using IIS version 5.0 on Windows 2000 or Windows NT apply the patch at the earliest possible opportunity.

Read more on Hackers and cybercrime prevention