Microsoft KB Archive/291845

= Malformed WebDAV request can cause IIS to exhaust CPU resources =

Article ID: 291845

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Internet Information Services 5.0

-



This article was previously published under Q291845



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
World Wide Web Distributed Authoring and Versioning (WebDAV) is an extension to the HTTP protocol that allows remote authoring and management of Web content. In the Windows 2000 implementation of the protocol, Microsoft Internet Information Services (IIS) 5.0 performs the initial processing of all WebDAV requests, and then forwards the appropriate commands to the WebDAV process. However, a flaw exists in the way WebDAV handles a particular type of malformed request. If a stream of such malformed requests is directed at an affected server, it consumes all CPU availability on the server.

Mitigating Factors:
 * The effect of an attack through this vulnerability is temporary. The server automatically resumes normal service as soon as the malformed requests stop arriving.
 * This vulnerability does not provide an attacker with any capability to carry out WebDAV requests.
 * This vulnerability does not provide any capability to compromise data on the server or gain administrative control over the server.

Microsoft recommends that customers apply the patch described in this article to any servers running IIS 5.0. Although this includes Web servers, other services may also require that IIS 5.0 be enabled. For example, Exchange 2000 Server uses IIS 5.0 to provide Outlook Web Access (OWA) services. Therefore, computers running Exchange 2000 Server that provide OWA services should implement the patch to protect their IIS 5.0 services from this vulnerability.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

The English version of this fix should have the following file attributes or later:

  Date        Time    Version      Size     File name -  03/12/2001  10:57a  0.9.3940.20  439,056  Httpext.dll IMPORTANT: If you previously performed the workaround described in article Q241520, the following dialog box may be displayed when you install this fix:

Copy Error Setup cannot copy the file httpext.dll. Ensure that the location specified below is correct, or change it and insert 'Windows 2000 System Files' in the drive you specify. Copy files from: (drop down box below) c:\%windir%\system32\inetsrv

To bypass this dialog box, follow these steps to re-enable WebDAV:
 * 1) Open Windows Explorer.
 * 2) Go to your %SystemRoot%\System32\Inetsrv folder.
 * 3) Right-click your Httpext.dll file, and then click Properties.
 * 4) Click the Security tab.
 * 5) Select Everyone, and then click Remove.
 * 6) Select the Allow inheritable permissions from parent to propagate to this object check box, and then click Apply.
 * 7) Click OK to exit the Properties dialog box.



WORKAROUND
For more information about how to work around this problem, click the following article number to view the article in the Microsoft Knowledge Base:

241520 How to disable WebDAV for IIS 5.0



STATUS
Microsoft has confirmed that this is a problem in Microsoft Windows 2000. This problem was first corrected in Windows 2000 Service Pack 2.



MORE INFORMATION
For more information on this vulnerability, see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms01-016.mspx

For more information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the following article number to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 hotfixes

Additional query words: DoS denial of service security_patch DAV distributed authoring and versioning

Keywords: kbbug kbfix kbwin2000presp2fix KB291845

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.