Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft IIS Web Server WebDAV Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1006305
SecurityTracker URL:
CVE Reference:   CVE-2003-0109   (Links to External Site)
Updated:  Mar 18 2003
Original Entry Date:  Mar 17 2003
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.0
Description:   A buffer overflow vulnerability was reported in Microsoft Internet Information Server (IIS) in its World Wide Web Distributed Authoring and Versioning (WebDAV) protocol implementation. A remote user could execute arbitrary code with Local System privileges. Systems running on Windows 2000 are vulnerable.

A remote user can send a specially crafted HTTP header to the server to trigger the buffer overflow and execute arbitrary code. The code will run in the Local System security context, giving the remote user full control of the system.

CERT reported in advisory CA-2003-09 that an exploit for this flaw has been publicly circulated.

The buffer overflow reportedly resides in ntdll.dll, used by the IIS WebDAV component.

IIS installations on Windows NT, XP, and Windows Server 2003 are reportedly not affected. IIS 4.0 reportedly does not have WebDAV enabled by default.

Impact:   A remote user can execute arbitrary code on the system in the security context of the IIS service. By default, IIS runs in the LocalSystem context.
Solution:   The vendor has released the following patch.

For all versions of Windows 2000 except Japanese NEC:

For Japanese NEC:

Microsoft indicates that the patch can be installed Windows 2000 SP2 or SP3. They plan to include this fix in Windows 2000 SP4.

A reboot of your system is required after installing the patch.

Microsoft has released Knowledge Base article 815021 regarding this issue, available at:;en-us;815021

Microsoft has described several workarounds and tools in their advisory that can be used to mitigate this flaw, available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Exploit is Available) Re: Microsoft IIS Web Server WebDAV Buffer Overflow Lets Remote Users Execute Arbitrary Code
Exploit code is publicly available.
(Other Windows 2000 Applications Are Affected) Re: Microsoft IIS Web Server WebDAV Buffer Overflow Lets Remote Users Execute Arbitrary Code
NGSSoftware has indicated that many other applications can potentially be used to exploit this flaw in Windows 2000, not just IIS.
(Additional Exploit Code is Available) Re: Microsoft IIS Web Server WebDAV Buffer Overflow Lets Remote Users Execute Arbitrary Code has provided some demonstration exploit code.

 Source Message Contents

Subject:  CERT Advisory CA-2003-09 Buffer Overflow in Microsoft IIS 5.0


CERT Advisory CA-2003-09 Buffer Overflow in Microsoft IIS 5.0

   Original issue date: March 17, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.

Systems Affected

     * Systems running Microsoft Windows 2000 with IIS 5.0 enabled


   A buffer overflow vulnerability exists in Microsoft IIS 5.0 running on
   Microsoft Windows 2000. IIS 5.0 is installed and running by default on
   Microsoft  Windows 2000 systems. This vulnerability may allow a remote
   attacker to run arbitrary code on the victim machine.

   An  exploit  is  publicly  available  for  this  vulnerability,  which
   increases the urgency that system administrators apply a patch.

I. Description

   IIS  5.0 includes support for WebDAV, which allows users to manipulate
   files   stored   on   a   web  server  (RFC2518).  A  buffer  overflow
   vulnerability  exists  in ntdll.dll (a portion of code utilized by the
   IIS  WebDAV  component).  By sending a specially crafted request to an
   IIS  5.0  server, an attacker may be able to execute arbitrary code in
   the  Local  System  security  context, essentially giving the attacker
   compete control of the system.

   Microsoft   has   issued   the   following   bulletin  regarding  this
   vulnerability: urity/bulletin/ms03-007.asp

   This  vulnerability  has been assigned the identifier CAN-2003-0109 by
   the Common Vulnerabilities and Exposures (CVE) group:

II. Impact

   Any  attacker  who can reach a vulnerable web server can gain complete
   control  of  the system and execute arbitrary code in the Local System
   security  context.  Note  that  this may be significantly more serious
   than a simple "web defacement."

III. Solution

Apply a patch from your vendor

   A patch is available from Microsoft at

Disable vulnerable service

   Until  a  patch  can  be  applied,  you  may  wish  to disable IIS. To
   determine if IIS is running, Microsoft recommends the following:

Go  to  Start  |  Settings  |  Control  Panel | Administrative Tools | Services.  

   If the World Wide Web Publishing service is listed then IIS
   is installed

   To  disable  IIS,  run  the  IIS lockdown tool. This tool is available

   If  you  cannot  disable  IIS, consider using the IIS lockdown tool to
   disable  WebDAV (removing WebDAV can be specified when running the IIS
   lockdown tool). Alternatively, you can disable WebDAV by following the
   instructions located in Microsoft's Knowledgebase Article 241520, "How
   to Disable WebDAV for IIS 5.0":;en-us;241520

Restrict buffer size

   If  you  cannot  use  either  IIS  lockdown  tool or URLScan, consider
   restricting the size of the buffer IIS utilizes to process requests by
   using  Microsoft's URL Buffer Size Registry Tool. This tool can be run
   against  a  local  or  remote Windows 2000 system running Windows 2000
   Service Pack 2 or Service Pack 3. The tool, instructions on how to use
   it,  and  instructions on how to manually make changes to the registry
   are available here:

URL Buffer Size Registry Tool -
Microsoft Knowledge Base Article 816930 -;en-us;816930

Microsoft Knowledge Base Article 260694 -;en-us;260694

   You  may  also wish to use URLScan, which will block web requests that
   attempt  to  exploit  this vulnerability. Information about URLScan is
   available at:;[LN];326444

Appendix A. Vendor Information

   This  appendix  contains information provided by vendors. When vendors
   report  new  information,  this section is updated and the changes are
   noted  in  the  revision  history. If a vendor is not listed below, we
   have not received their comments.

Microsoft Corporation

     Please see Microsoft Security Bulletin MS03-007.

   Author: Ian A. Finlay

   This document is available from:

CERT/CC Contact Information

          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more

Getting security information

   CERT  publications  and  other security information are available from
   our web site

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to Please include in the body of your

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.

   Revision History

   March 17, 2003: Initial release

Version: PGP 6.5.8


This message was posted through the FIRST mailing list server.
Subscriptions are managed by the FIRST Secretariat <>.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC