Alerts
Alerts
Zero-Day Tracker
Common Name:
NTDLL "IIS WebDAV"
Date Disclosed:
3/17/2003
Date Patched:
4/23/2003
Vendor:
Microsoft
Application:
Windows NT4
Windows 2000
Windows XP
Description:
A buffer overflow in ntdll.dll allows a remote attacker to execute arbitrary code via WebDAV. IIS 5.0 was the primary vector for this vulnerability, even though the vulnerable code did not reside in IIS and instead was on the underlying operating system.
Severity:
High
Code Execution:
Yes
Impact:
Arbitrary code execution as SYSTEM
Although the vulnerable code was within ntdll.dll, a common vector for attacking the code is IIS 5.0 with WebDAV enabled. Using this vector, an attacker would be able to anonymously execute arbitrary code against a remote host as SYSTEM. It's especially important since the vector is a commonly un-firewalled port, allowing for a mass-exploitation scenario.
Mitigation:
Since this vulnerability is patched, the primary mitigation for this vulnerability would be to apply MS03-007. However, other mitigation could be the use of the IIS Lockdown tool, as detailed in the Microsoft Patch advisory.
Protection:
Microsoft Patch - MS03-007
Links:
CVE-2003-0109
First Public PoC Code Disclosure (Malicious Payload - Reverse Shell)
Status:
3/17/2003: Patched by MS03-007
Common Name:
NTDLL "IIS WebDAV"
Date Disclosed:
3/17/2003
Date Patched:
4/23/2003
Vendor:
Microsoft
Application:
Windows NT4
Windows 2000
Windows XP
Description:
A buffer overflow in ntdll.dll allows a remote attacker to execute arbitrary code via WebDAV. IIS 5.0 was the primary vector for this vulnerability, even though the vulnerable code did not reside in IIS and instead was on the underlying operating system.
Severity:
High
Code Execution:
Yes
Impact:
Arbitrary code execution as SYSTEM
Although the vulnerable code was within ntdll.dll, a common vector for attacking the code is IIS 5.0 with WebDAV enabled. Using this vector, an attacker would be able to anonymously execute arbitrary code against a remote host as SYSTEM. It's especially important since the vector is a commonly un-firewalled port, allowing for a mass-exploitation scenario.
Mitigation:
Since this vulnerability is patched, the primary mitigation for this vulnerability would be to apply MS03-007. However, other mitigation could be the use of the IIS Lockdown tool, as detailed in the Microsoft Patch advisory.
Protection:
- eEye's Blink® Personal Edition protects from this vulnerability.
- eEye's Blink® Professional Edition protects from this vulnerability.
- eEye's Retina® Network Security Scanner scans devices to detect for this vulnerability.
Microsoft Patch - MS03-007
Links:
CVE-2003-0109
First Public PoC Code Disclosure (Malicious Payload - Reverse Shell)
Status:
3/17/2003: Patched by MS03-007
