Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Microsoft IIS DoS Using WebDAV

Attack ID: CPAI-2003-18
Publish Date:
Category: Denial Of Service attack
Vulnerable Systems: Microsoft Internet Information Services 5.0
Microsoft Internet Information Services 5.1
Source: SPI Dynamics
Microsoft Security Bulletin MS03-018
CAN-2003-0226
Description: If an attacker sends a WebDAV request with a body over 49,153 bytes using the 'PROPFIND' or 'SEARCH' request methods, IIS will be forced to restart itself. All web server, email, and active ftp connections will be terminated, along with a disruption of future sessions during the time it takes IIS to restart.
Severity:
  This is a Denial Of Service attack, causing disruptions in all web, email and active FTP session, until IIS is restarted.
Details: If an attacker sends a WebDAV request with a body over 49,153 bytes using the 'PROPFIND' or 'SEARCH' request methods, IIS will be forced to restart itself. All web server, email, and active ftp connections will be terminated, along with a disruption of future sessions during the time it takes IIS to restart.
Attack Detection:

Using the SmartView Tracker one can identify blocked HTTP connections with a Malformed Request error message displayed in the information field.

Firewall-1 with Application Intelligence will produce the following detailed information, as an example to the use of "SEARCH" method within WebDav:

"Web security: HTTP method 'SEARCH' is not allowed.

For more details on HTTP methods please refer to SecureKnowledge solution sk17454. Note: The HTTP methods needed for using FrontPage server extensions, Outlook Web Access(OWA), Outlook Express and Hotmail, are enabled by the 'enable_propfind_method' global property."

Users of Check Point's Firewall-1 NG Feature Pack 3 are able to identify blocked HTTP connections connections with a Malformed Request error message displayed in the information field.
Solution:

Mitigating WebDAV related security issues is discussed in detail in previous
SmartDefense Advisories.

CPAI 2003-03 describes how to block WebDAV requests to a web server
protected by FireWall-1:

WebDAV attacks, can be blocked by FireWall-1, since FireWall-1 HTTP Security Server restricts WebDAV methods usage by default. One can verify this behavior by checking that the following flag in $FWDIR/conf/objects_5_0.C is set to false value:

enable_propfind_method (When enable_propfind_method is set to true, which is not the default setting, FireWall-1 HTTP Security Server will enable WebDAV HTTP methods.

Administrators should note that the flag (once set to true) will allow all WebDAV HTTP methods.

The SmartDefense Advisory team recommends installing the vendor's security patch.
Industry Reference:
Additional Information: Additional information regarding WebDav can be found in previous SmartDefense advisories:

CPAI-2003-03
CPAI-2003-08
CPSA-2003-03

Check Point SecureKnowledge: How to edit the objects file.