A vulnerability has been identified in Microsoft Internet Information Services (IIS), which could allow remote attackers to bypass security restrictions and gain knowledge of sensitive information. This issue is caused by an input validation error in WebDav that fails to verify credentials before accessing password-protected resources when handling HTTP GET or PROPFIND requests containig a Unicode-encoded character (e.g. the slash character as "%c0%af") with a "Translate: f" header, which could allow remote attackers to gain unauthorized read and upload access to protected folders without providing authentication credentials.

Affected Products

Microsoft Internet Information Services (IIS) version 6.0
Microsoft Internet Information Services (IIS) version 5.1
Microsoft Internet Information Services (IIS) version 5.0

Solution

Apply patches :
http://www.microsoft.com/technet/security/bulletin/ms09-020.mspx

References

http://www.vupen.com/english/advisories/2009/1330
http://www.microsoft.com/technet/security/bulletin/ms09-020.mspx
http://www.microsoft.com/technet/security/advisory/971492.mspx
http://blogs.technet.com/srd/archive/2009/05/18/more-information-about-the-iis-authentication-bypass.aspx

In-depth Binary Analysis

Available in customer area as part of VUPEN Binary Analysis & Exploits Service and VUPEN Vulnerability Notification Service Ultimate Feed Edition.
 

Private Exploit or PoC

Available in customer area as part of VUPEN Binary Analysis & Exploits Service and VUPEN Vulnerability Notification Service Ultimate Feed Edition.
 

Public Exploit or PoC

Available in customer area as part of VUPEN Vulnerability Notification Service.
 

Credits

Vulnerability reported by Nikolaos Rangos.

Changelog

2009-05-18 : Initial release
2009-05-19 : Updated Advisory
2009-05-25 : Updated Severity
2009-06-09 : Updated Solution

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.