Login to myLSU

CIO  |  IT Security & Policy  |  LONI  |  LOUIS  |  UIS  |  UNI  |  USS  |  MDAC  |  Moodle
IT Security & Policy
ITS  >  IT Security & Policy  >  Announcements
Possible IIS 6 authentication bypass vulnerability

A 0-day authentication bypass vulnerability has been reported in IIS6, and is being actively exploited in the wild.


Affected:
IIS 6 implementation running WebDAV

Impact:
Attackers could access any file on the system. By virtue of 'any' file, attackers could possibly run arbitrary code if they have access to the right file (such as cmd.exe).

Mitigation:
If possible, Disable WebDAV - systems like SharePoint rely on WebDAV so this is not always a suitable technique. No other workarounds are available at this time.

Other Notes:
IIS 7 has not been identified as affected at this time. There have been confirmed exploits used in the wild. Proof of concept code has been posted to milw0rm: http://www.milw0rm.com/

Links:
‘Possible authentication bypass vulnerability in IIS6’ (http://www.auscert.org.au/render.html?it=11001)

Microsoft has released an advisory regarding this vulnerability in IIS 6.0. Please review the following article for additional information and mitigating factors:

http://www.microsoft.com/technet/security/advisory/971492.mspx

See Also:

http://packetstormsecurity.org/0905-exploits/iiswebdav-bypass.pdf

This announcement posted Monday, May 18, 2009

Information Technology Services

Louisiana State University

200 Frey Computing Services

Baton Rouge, LA 70803

Telephone: (225) 578-3700

Fax: (225) 578-6400

Send Comments or Questions about this site to the Webmaster
Copyright © 2013. All Rights Reserved. Official Web Page of Louisiana State University.