[Dshield] Microsoft-WebDAV-MiniRedir/5.1.2600

Tod Beardsley todb at planb-security.net
Wed Nov 13 14:37:05 GMT 2002


Mark Rowlands (Wednesday, November 13, 2002, 3:20 AM) wrote:

> Something I haven't seen before  popping up in my logs is this :-

> "PROPFIND /c%24 HTTP/1.1" 405 915 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"

> It has come from a couple of sources ...one Roadrunner, one AOL so my no. 1 
> hypothesis is dumb user with Windows XP / Frontpage.

There's a Microsoft hotfix here, posted Oct 30, 2002:

http://www.microsoft.com/technet/security/bulletin/MS02-062.asp

It fixes a denial-of-service exposure in IIS's WebDAV implementation.
Since the exposure hinges on a running Index Service, I would guess
the malformed URL would have something to do with PROPFIND. However, the
bulletin provides no details on what an attack would actually look like.

After reading it, I found that turning off WebDAV altogether can only be
accomplished through a registry edit. This Q article describes this
"extreme" step:

http://support.microsoft.com/default.aspx?scid=KB;en-us;q241520

Also, WebDAV is disabled with IISLockdown.

-- 
Tod Beardsley (GCIA, MCSE)
"It's okay to yell fire in a crowded theater
if the theater is actually on fire."




More information about the list mailing list