Tool found for MS WebDAV vulnerability

A computer security company warned on Wednesday that it discovered a new automated tool for exploiting the recently publicized WebDAV vulnerability affecting Microsoft Corp.'s Windows NT and 2000 operating systems.

The availability of an automated attack tool on the Internet may pave the way for a new worm that could take advantage of unpatched systems, raising the stakes for those organizations that have not applied Microsoft's patch, according to a statement from Citadel Security Software Inc.

Microsoft originally disclosed the vulnerability when it released a patch for the problem in March.

WebDAV is a set of extensions to HTTP (Hypertext Transfer Protocol) that allows users to edit and manage files on remote Web servers. The protocol is designed to create interoperable, collaborative applications that facilitate geographically-dispersed "virtual" software development teams.

An unchecked buffer in a core Windows component, ntdll.dll, could enable an attacker to cause a buffer overflow on the machine running IIS, according to the Microsoft Security bulletin MS03-007. (See

The vulnerability allows attackers to mount a denial of service (DoS) attack against Windows 2000 machines or execute their own malicious code in the security context of the Internet Information Server (IIS) service, giving them unfettered access to the vulnerable system, Microsoft said.

At the time the bulletin was released, Microsoft and Internet Security Systems Inc. were aware of at least one attack against a Microsoft customer that used the heretofore unknown WebDAV vulnerability, though no automated tools to take advantage of the vulnerability existed.

With the help of an automated tool, even technically unsophisticated attackers, or "script kiddies," could launch such attacks on a wide scale, according to Chris Wysopal, director of research and development at @stake Inc. in Cambridge, Massachusetts.

Such automated tools often appear soon after new vulnerabilities and exploits become known within the malicious hacking community, following a progression from simple 'proof of concept' exploits to more sophisticated attacks and then to automated attacks, Wysopal said.

Automated tools often build on the work of others, adding functionality for automatically scanning ranges of Internet addresses for vulnerable hosts and graphical user interfaces that make it easy to compromise large numbers of vulnerable machines, even with no understanding of how the exploits work, according to Wysopal.

"Once you get to that point, (automated tools) can be turned into a worm. That's the point where it's at now," he said.

The WebDAV vulnerability tool uncovered by Citadel uses a command line interface rather than a graphical interface, but comes with detailed instructions that describe the command syntax necessary to compromise vulnerable machines, according to Kerry Steele, director of vulnerability research and remediation at Dallas, Texas-based Citadel.

"This is an automated tool that anyone including your grandma could use to attack machines on the Internet," Steele said. The tool is currently circulating online within "the underground security community," according to Steele.

The transition from automated tool to worm could be short, with the "guts" of the automated tool married to code that enables the attack to reproduce itself independent of the attacker, Wysopal said.

"There's enough code circulating out there that any moderately competent programmer could put together a worm," he said. "It's knitting at this point. You know what to do, it just takes a certain amount of time to do it."

Steele agreed, saying it would take an experienced computer hacker only a matter of hours to join the self replication code from the SQL Slammer worm to the automated WebDAV exploit tool his company uncovered, producing a powerful worm.

That, coupled with a critical and remotely executable vulnerability on public-facing Web servers poses a significant threat for organizations that haven't patched vulnerable Windows servers, according to Wysopal.

Attacks could come in the form of malformed WebDAV requests to a machine running IIS version 5.0. Because WebDAV requests typically use the same port as other Web traffic (Port 80), attackers would only need to be able to establish a connection with the Web server to exploit the vulnerability, Microsoft said.

While organizations affected by the Slammer worm could simply block port 1434, which was used by the worm, those affected by the WebDAV vulnerability could not shut down the port used in an attack without cutting off access to their Web page, Steele said.

Also on Wednesday, Microsoft provided an updated patch for the WebDAV vulnerability that covers Windows NT 4.0.

The Redmond, Washington, company knew in March that the vulnerable ntdll.dll component existed in NT 4.0 in addition to Windows 2000. However, NT 4.0 does not support WebDAV and was not vulnerable to attack, so no patch for that platform was supplied at that time, Microsoft said.

Despite that and the absence of any attacks against NT 4.0 machines using the ntdll.dll vulnerability, Microsoft felt that patching NT 4.0 was a priority, according to Stephen Toulouse, security program manager at Microsoft's Security Response Center.

"What we were trying to communicate in the (updated) bulletin was that even though the WebDAV vector was not present in NT 4.0, the vulnerability is still available," Toulouse said.

Attackers could well find other ways than the WebDAV extensions to exploit the ntdll.dll vulnerability, Toulouse said.

Citadel, Microsoft and others strongly recommend that customers using IIS version 5.0 on Windows 2000 or Windows NT apply the patch at the earliest possible opportunity.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?