Microsoft Security Bulletin MS01-022

Technical description:

The Microsoft Data Access Component Internet Publishing Provider provides access to WebDAV resources over the Internet. By design, it should differentiate between requests made by a user and those made by a script running in the user's browser. However, because of an implementation flaw, it handles all requests in the security context of the user. As a result, if a user browsed to a web page or opened an HTML e-mail that contained script, that script could access web-based resources as the user.

The specific actions an attacker could take via this vulnerability would depend on the Web-based resources available to the user, and the user's privileges on them. However, it is likely that at a minimum, the attacker could browse the user's intranet, and potentially access web-based e-mail as well.

Mitigating factors:

• The attacker would need to possess significant inside information in order to carry out a successful attack, such as server names, folder structures, and other user- and network-specific information. This vulnerability would therefore be most likely used as part of an insider attack.
• Because of the way WebDAV requests are authenticated, the vulnerability could not be exploited against stand-alone machines.
• The vulnerability could not be exploited if Active Scripting was disabled in the Security Zone the script opened in.

Vulnerability identifier: CAN-2001-0238

Tested Versions:

Microsoft tested all versions of the Microsoft Data Access Component Internet Publishing Provider numbered 8.103.2519.0 or earlier, to assess whether they are affected by this vulnerability.

What's the scope of the vulnerability?
This vulnerability could enable an attacker to access information on another user's intranet. Specifically, if the attacker could entice or persuade the user into either visiting a particular web page or opening a particular HTML e-mail, she could gain the ability to read, change or add any data that the user himself had privileges to read, change or add.
Exploiting the vulnerability would be difficult. The attacker would need to possess significant inside knowledge of the user and his network in order to exploit it. In fact, in most cases, it's likely that only an insider could exploit the vulnerability.

What causes the vulnerability? 
The vulnerability results because a component used to enable remote access to web-based resources doesn't properly enforce domain restrictions. If HTML code from a web site or an HTML mail ran within a browser, it could potentially levy requests using the security context of the user.

What's the component at issue here? 
The component's name is the Microsoft Data Access Component Internet Publishing Provider. Its role is to support WebDAV (Web Distributed Authoring and Versioning).

What's WebDAV? 
WebDAV is an Internet standard that lets multiple people collaborate on documents using an Internet-based shared file system. It addresses issues such as file access permissions, offline editing, file integrity, and conflict resolution when competing changes are made to a document. WebDAV expands an organization's infrastructure by using the Internet or an intranet as the central location for storing shared files.

What products does the Provider ship in? 
Because it supports WebDAV, and WebDAV is the underlying technology behind many web-based collaboration features offered by Microsoft products, the Provider is installed by a variety of different Microsoft products. It's provided as part of Windows Me and Windows 2000, and also can be installed by recent versions of Office as well as other Microsoft products. Below, we'll discuss how to tell whether an affected version is installed on your machine.

What's wrong with the Provider? 
The Provider should be cognizant of the source of a WebDAV request, and regulate the actions it will take accordingly. In particular, it should treat requests that are levied by script differently from ones that are levied by the user.

Why should requests be treated differently if they're levied via script? 
Scripts run on the local machine even though they may originate from an outside source, like a web site or an HTML e-mail. For instance, when you visit a web page that contains Javascript, the script is downloaded to your machine and run locally. Clearly, though, such script should not be able to take arbitrary actions on your behalf.
In general, the browser ensures that scripts can only take actions that are appropriate, given their source. Scripts are, by design, allowed to levy WebDAV requests but of course they should be tightly regulated with regard to the actions they can take. The vulnerability results because the Provider doesn't regulate these actions properly, and executes them as though the user himself had requested them, rather than script from a foreign source.

What would this vulnerability enable an attacker to do? 
If an attacker could entice a user into opening a web page or an HTML e-mail that contained script, she could make WebDAV requests as that user. This would enable her to take any action that the user himself could take via WebDAV.

What kind of actions can a user typically take via WebDAV? 
It would vary from system to system, depending on how many web-based resources were available, and the user's privileges. However, at a minimum it's likely that this could allow the script to access intranet sites as the user, and access web-based mail as well.

How easy would it be exploit the vulnerability? 
Even assuming that the attacker could persuade someone to run script from her web page or HTML e-mail, exploiting this vulnerability would still be a daunting task. The attacker would need to know the precise names of the servers whose resources she wanted to abuse, as well as the folder structure. It's also likely that she would need information about the user in order to properly formulate the requests. Because of the amount of site-specific knowledge the attacker would need, it's likely that the attacker would need to be an insider, such as a disgruntled employee.

Are there any other restrictions on how the vulnerability could be exploited? 
Yes. Because of the way WebDAV requests are authenticated, this vulnerability could only be exploited against a machine that was either a workgroup or a domain member. It could not be exploited on a stand-alone machine.

What does the patch do? 
The patch eliminates the vulnerability by causing the Provider to restrict the WebDAV requests that can be made via script. Specifically, it causes the Provider to only allow a script to levy requests on behalf of the specific web site, and folder within that site, that it originated on.

How do I know whether I need the patch? 
The easiest way is to check the version number of the Provider. Follow these steps to determine the version number:

1. From the Start menu, select Search, then For Files or Folders
2. In the Search For field, type msdaipp.dll and click the Search Now button
3. If msdaipp.dll is not present on your machine, you are not affected by the vulnerability and do not need the patch.
4. If msdaipp.dll is present on your machine, right-click on the file in the search window, then select Properties, then Version. Consult the table below to determine if you have a version with the vulnerability.

You said that the Provider ships as part of several Microsoft products. If I apply the patch, and then later install a product that installs a vulnerable version of the Provider, do I need to re-install the patch? 
No. Microsoft products respect version numbers, and will not overwrite a higher version with a lower one. If you've installed the patch, no other product will cause it to revert to a vulnerable version.

Download locations for this patch

• All Affected Products:

  http://www.microsoft.com/downloads/details.aspx?FamilyId=046E5A26-54D8-4AAB-B3B1-0050C267C2B2&displaylang=en