Multiple exploits have been made public for the recently announced WebDAV (World Wide Web Distributed Authoring and Versioning) vulnerability that affects Windows 2000 machines. Experts urge users of vulnerable systems to patch their machines, because workarounds may not totally protect them from attack.
The vulnerability lies in Windows 2000. Initially, it was exploited on systems running WebDAV on Internet Information Services (IIS) Web Server version 5.0. But other applications can be used to exploit the flaw. If exploited, the vulnerability could allow attackers to run arbitrary code on the system.
Last week, veteran vulnerability finder David Litchfield posted his company's (NGS Software) analysis of the vulnerability. "It must be stressed that IIS was simply the attack vector; the method or route used to actually exploit the flaw," Litchfield wrote.
NGS Software researchers found other attack vectors including ones involving Java-based Web servers and other non-WebDAV related issues in IIS. "There are too many ways for an attacker to 'access' the vulnerability. Likely areas will be non-MS Web and ftp servers, IMAP servers, antivirus solutions and other MS Windows Services," he also said.
"Consequently, NGS Software believes that every Windows 2000 server or workstation should be patched, and patched as soon as possible -- regardless of whether the box is running IIS or not," he added.
Copies of exploit code were posted to vulnerability mailing lists BugTraq and VulnWatch within the past few days. One poster was Rafael Nunez, information security consultant at Scientech de Venezuela and a former hacker (he called himself "RaFa"). He didn't write the code, but he tweaked it so it would function properly.
"I released it to enlighten the public and to promote system security for administrators unfamiliar with these exploits," he said in an e-mail interview this morning. "I believe more exploits will be written and made public, which will further enhance system security in the long run," Nunez said.
Few experts are surprised that exploit code is available a week after it was disclosed. The vulnerability was actually found while being exploited on a U.S. Army Web site.
"In theory, they all work," said Russ Cooper, surgeon general of TruSecure Corp., which has seen five versions of the exploit. "They will need a little work for use in an automated attack tool."
Last week, Cooper predicted that a worm would soon be available that would take advantage of the flaw. He said this morning that it is still plausible, as evidenced by all the versions of exploit code being created.
System administrators can take some preventive measures, such as disabling WebDAV and doing URL scanning, Cooper said. "Even with these, it is possible that a system could be vulnerable if not patched," he said.
Cooper also warns that the vulnerability is not limited to just WebDAV running on Windows 2000 boxes with IIS version 5. "The vulnerability is in the core of the operating system," he said. Given that that's the case, any application that invokes the affected area can be open to attack.
The vulnerability does highlight a weakness in the patching process, said Dan Ingevaldson, team lead for ISS' X-Force R&D. In the past, there would be a window of two weeks to a month between the time a vulnerability was disclosed and the time the exploit code became available. That gap is closing. In the case of the WebDAV flaw, there was no window at all, since it was exploited before being disclosed.
Companies can use intrusion-detection systems and follow a layered security approach to help protect themselves while patching systems, Ingevaldson said. "But there are still a lot of companies that rely just on patching. That's why we see 300,000 machines getting infected [when a worm hits]," he said.
FOR MORE INFORMATION:
- FEEDBACK: How quickly will you patch WebDAV?
Send your thoughts to the SearchSecurity.com news team.