• Article

Security Bulletin

Microsoft Security Bulletin MS01-022 - Critical

WebDAV Service Provider Can Allow Scripts to Levy Requests as User

Published: April 18, 2001 | Updated: June 23, 2003

Version: 1.2

Originally posted: April 18, 2001
Updated: June 23, 2003

Summary
Who should read this bulletin: Customers using any Microsoft operating system.

Impact of vulnerability:
Web-based script could levy WebDAV requests on the user's behalf.

Recommendation:
Customers should consult the FAQ to determine whether they have an affected version and consider applying the patch if they do.

Affected Software:

  • Microsoft Windows® 95
  • Microsoft Windows 98
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows Me
  • Microsoft Windows NT® 4.0
  • Microsoft Windows 2000

General Information

Technical details

Technical description:

The Microsoft Data Access Component Internet Publishing Provider provides access to WebDAV resources over the Internet. By design, it should differentiate between requests made by a user and those made by a script running in the user's browser. However, because of an implementation flaw, it handles all requests in the security context of the user. As a result, if a user browsed to a web page or opened an HTML e-mail that contained script, that script could access web-based resources as the user.

The specific actions an attacker could take via this vulnerability would depend on the Web-based resources available to the user, and the user's privileges on them. However, it is likely that at a minimum, the attacker could browse the user's intranet, and potentially access web-based e-mail as well.

Mitigating factors:

  • The attacker would need to possess significant inside information in order to carry out a successful attack, such as server names, folder structures, and other user- and network-specific information. This vulnerability would therefore be most likely used as part of an insider attack.
  • Because of the way WebDAV requests are authenticated, the vulnerability could not be exploited against stand-alone machines.
  • The vulnerability could not be exploited if Active Scripting was disabled in the Security Zone the script opened in.

Vulnerability identifier: CAN-2001-0238

Tested Versions:

Microsoft tested all versions of the Microsoft Data Access Component Internet Publishing Provider numbered 8.103.2519.0 or earlier, to assess whether they are affected by this vulnerability.

Frequently asked questions

What's the scope of the vulnerability?
This vulnerability could enable an attacker to access information on another user's intranet. Specifically, if the attacker could entice or persuade the user into either visiting a particular web page or opening a particular HTML e-mail, she could gain the ability to read, change or add any data that the user himself had privileges to read, change or add.
Exploiting the vulnerability would be difficult. The attacker would need to possess significant inside knowledge of the user and his network in order to exploit it. In fact, in most cases, it's likely that only an insider could exploit the vulnerability.

What causes the vulnerability?
The vulnerability results because a component used to enable remote access to web-based resources doesn't properly enforce domain restrictions. If HTML code from a web site or an HTML mail ran within a browser, it could potentially levy requests using the security context of the user.

What's the component at issue here?
The component's name is the Microsoft Data Access Component Internet Publishing Provider. Its role is to support WebDAV (Web Distributed Authoring and Versioning).

What's WebDAV?
WebDAV is an Internet standard that lets multiple people collaborate on documents using an Internet-based shared file system. It addresses issues such as file access permissions, offline editing, file integrity, and conflict resolution when competing changes are made to a document. WebDAV expands an organization's infrastructure by using the Internet or an intranet as the central location for storing shared files.

What products does the Provider ship in?
Because it supports WebDAV, and WebDAV is the underlying technology behind many web-based collaboration features offered by Microsoft products, the Provider is installed by a variety of different Microsoft products. It's provided as part of Windows Me and Windows 2000, and also can be installed by recent versions of Office as well as other Microsoft products. Below, we'll discuss how to tell whether an affected version is installed on your machine.

What's wrong with the Provider?
The Provider should be cognizant of the source of a WebDAV request, and regulate the actions it will take accordingly. In particular, it should treat requests that are levied by script differently from ones that are levied by the user.

Why should requests be treated differently if they're levied via script?
Scripts run on the local machine even though they may originate from an outside source, like a web site or an HTML e-mail. For instance, when you visit a web page that contains Javascript, the script is downloaded to your machine and run locally. Clearly, though, such script should not be able to take arbitrary actions on your behalf.
In general, the browser ensures that scripts can only take actions that are appropriate, given their source. Scripts are, by design, allowed to levy WebDAV requests but of course they should be tightly regulated with regard to the actions they can take. The vulnerability results because the Provider doesn't regulate these actions properly, and executes them as though the user himself had requested them, rather than script from a foreign source.

What would this vulnerability enable an attacker to do?
If an attacker could entice a user into opening a web page or an HTML e-mail that contained script, she could make WebDAV requests as that user. This would enable her to take any action that the user himself could take via WebDAV.

What kind of actions can a user typically take via WebDAV?
It would vary from system to system, depending on how many web-based resources were available, and the user's privileges. However, at a minimum it's likely that this could allow the script to access intranet sites as the user, and access web-based mail as well.

How easy would it be exploit the vulnerability?
Even assuming that the attacker could persuade someone to run script from her web page or HTML e-mail, exploiting this vulnerability would still be a daunting task. The attacker would need to know the precise names of the servers whose resources she wanted to abuse, as well as the folder structure. It's also likely that she would need information about the user in order to properly formulate the requests. Because of the amount of site-specific knowledge the attacker would need, it's likely that the attacker would need to be an insider, such as a disgruntled employee.

Are there any other restrictions on how the vulnerability could be exploited?
Yes. Because of the way WebDAV requests are authenticated, this vulnerability could only be exploited against a machine that was either a workgroup or a domain member. It could not be exploited on a stand-alone machine.

What does the patch do?
The patch eliminates the vulnerability by causing the Provider to restrict the WebDAV requests that can be made via script. Specifically, it causes the Provider to only allow a script to levy requests on behalf of the specific web site, and folder within that site, that it originated on.

How do I know whether I need the patch?
The easiest way is to check the version number of the Provider. Follow these steps to determine the version number:

  1. From the Start menu, select Search, then For Files or Folders
  2. In the Search For field, type msdaipp.dll and click the Search Now button
  3. If msdaipp.dll is not present on your machine, you are not affected by the vulnerability and do not need the patch.
  4. If msdaipp.dll is present on your machine, right-click on the file in the search window, then select Properties, then Version. Consult the table below to determine if you have a version with the vulnerability.
Version Number Status
8.102.1403.0 Affected
8.103.2402.0 Affected
8.103.2519.0 Affected
All other versions Unaffected

You said that the Provider ships as part of several Microsoft products. If I apply the patch, and then later install a product that installs a vulnerable version of the Provider, do I need to re-install the patch?
No. Microsoft products respect version numbers, and will not overwrite a higher version with a lower one. If you've installed the patch, no other product will cause it to revert to a vulnerable version.

Patch availability

Download locations for this patch

Additional information about this patch
Installation platforms:

The patch can be installed on any of the following platforms:

  • Windows 95
  • Windows 98
  • Windows 98 Second Edition
  • Windows Me
  • Windows NT 4.0 Workstation Service Pack 6a.
  • Windows NT 4.0 Server and Server, Enterprise Edition, Service Pack 6a.
  • Windows NT 4.0 Server, Terminal Server Edition, Service Pack 6.
  • Windows 2000 Professional, Server, Advanced Server or Datacenter Server, when running the Gold version, Service Pack 1 or the forthcoming Service Pack 2.

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 4 and Windows XP. In addition, any other products that ship the Microsoft Data Access Component Internet Publishing Provider will ship a corrected version in their next version or service pack.

Superseded patches:

None.

Verifying patch installation:

To verify that the patch has been installed on the machine, confirm that the version number for msdaipp.dll is no longer one of the three affected version numbers listed in the section of the FAQ titled "How do I know whether I need the patch?"

Caveats:

None

Localization:

The patch is appropriate for use on all language versions of the affected platforms.

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches are also available from the WindowsUpdate web site

Other information:
Support:

  • Microsoft Knowledge Base article Q296441 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (April 18, 2001): Bulletin Created.
  • V1.1 (August 12, 2002): Bulletin updated to correct error and indicate that this fix will be provided in Windows 2000 Service Pack 4.
  • V1.2 (June 23, 2003): Updated Windows Update download links.

Built at 2014-04-18T13:49:36Z-07:00