We have heard several questions from customers about the WebDAV authentication bypass issue on IIS. We wanted to post common questions and answers here to help anyone else who might have the same question.
Question: Is Sharepoint vulnerable to the authentication bypass?
Answer: No, Sharepoint is not vulnerable to this vulnerability. The Sharepoint team does not use the same code as IIS. Their DAV server goes against their backend SQL store, not the file system.
Question: Is Outlook Web Access (OWA) vulnerable to the authentication bypass?
Answer: No, OWA is not vulnerable to this vulnerability. Exchange 2007 and earlier supported the WebDAV protocol but they did so with an Exchange implementation of WebDAV which only reads/write to/from the Exchange store. It does not interact with the filesystem directly.
Question: How can I find IIS servers in my environment running WebDAV?
Answer: You can use the IIS Manager interface on the server to quickly tell whether the server is running WebDAV. If you want to do so remotely, you can issue an HTTP request to the server directly:
$ telnet server 80
OPTIONS / HTTP/1.1
Host: server
Accept: */*
(An extra Enter on the blank line after the Accept will complete the request for the webserver.)
If you get an HTTP response that looks like the one below, the server is running WebDAV.
HTTP/1.1 200 OK
Date: Wed, 20 May 2009 00:52:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
MS-Author-Via: DAV
Content-Length: 0
Accept-Ranges: none
DASL: <!--?XML:NAMESPACE PREFIX = DAV /--><dav:sql>
DAV: 1, 2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIN
D, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
Cache-Control: private</dav:sql>
To evaluate the response for existence of WebDAV, use the following logic:
- Received 2xx response status to OPTIONS request made to root of site.
- Response contains DAV header with value 1,2.
- Response contains MS-Author-Via header which contains DAV value.
- Response DOES NOT contain X-MSDAVEXT header. Existence of this means its Sharepoint’s DAV.
To test a server that only accepts HTTPS connections, you can use a tool like wfetch.
What is the difference between the WebDAV server and the WebDAV Redirector / Mini-Redirector
Answer: The WebDAV server is a server-side component that facilitates WebDAV Publishing within IIS. The WebDAV server is the component discussed in this blog, the previous SRD blog, and the MSRC security advisory.
Windows also includes client-side components that make interacting with the WebDAV server easier. The client-side components are not affected by this authentication bypass vulnerability. The WebDAV Redirector is a remote file system over the WebDAV protocol that allows Windows client machines to connect to the WebDAV publishing directory through the command line. The WebDAV Redirector enables you to manipulate files on the Web as though the files exist on a mapped network drive. The WebDAV Mini-Redirector is also known as the WebClient service. This service lets DAV-enabled folders appear as Universal Naming Convention (UNC) shares.
If you have any questions about this vulnerability, please let us know. Thanks!
- Jonathan Ness, MSRC Engineering
*Postings are provided “AS IS” with no warranties, and confers no rights.*