Vulnerability CVE-2009-1535 - CERT Civis.Net

Vulnerability Name:

CVE-2009-1535 (CCN-50573)

Assigned:

2009-05-15

Published:

2009-05-15

Updated:

2020-11-23

Summary:

The WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122.

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
6.2 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
6.2 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Bypass Security

References:

Source: FULLDISC
Type: Broken Link
20090515 IIS6 + webdav and unicode rides again in 2009

Source: FULLDISC
Type: Broken Link
20090515 Re: IIS6 + webdav and unicode rides again in 2009

Source: FULLDISC
Type: Broken Link
20090515 Re: IIS6 + webdav and unicode rides again in 2009

Source: MISC
Type: Broken Link
http://archives.neohapsis.com/archives/fulldisclosure/2009-05/att-0135/IIS_Advisory.pdf

Source: MISC
Type: Third Party Advisory
http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html

Source: MITRE
Type: CNA
CVE-2009-1122

Source: MITRE
Type: CNA
CVE-2009-1535

Source: MISC
Type: Third Party Advisory
http://isc.sans.org/diary.html?n&storyid=6397

Source: CCN
Type: SA35109
Microsoft Internet Information Services WebDAV Request Directory Security Bypass

Source: CCN
Type: SECTRACK ID: 1022358
Microsoft Internet Information Services WebDAV Bug Lets Remote Users Bypass Authentication

Source: CCN
Type: ASA-2009-215
MS09-020 Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)

Source: MISC
Type: Broken Link
http://view.samurajdata.se/psview.php?id=023287d6&page=1

Source: VIM
Type: Third Party Advisory
20090616 IIS WebDav Vulnerability CVE ID

Source: CCN
Type: Microsoft IIS Web site
The Official Microsoft IIS Site

Source: CCN
Type: US-CERT VU#787932
Microsoft IIS WebDAV Remote Authentication Bypass

Source: CCN
Type: Microsoft Security Advisory (971492)
Vulnerability in Internet Information Services Could Allow Elevation of Privilege

Source: CCN
Type: Microsoft Security Bulletin MS09-020
Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)

Source: CCN
Type: BID-34993
Microsoft IIS Unicode Requests to WebDAV Multiple Authentication Bypass Vulnerabilities

Source: CCN
Type: BID-35232
Microsoft IIS 5.0 WebDAV Authentication Bypass Vulnerability

Source: CERT
Type: Third Party Advisory, US Government Resource
TA09-160A

Source: MS
Type: Patch, Vendor Advisory
MS09-020

Source: XF
Type: UNKNOWN
iis-webdav-security-bypass(50573)

Source: OVAL
Type: Third Party Advisory
oval:org.mitre.oval:def:6029

Source: CCN
Type: Rapid7 Vulnerability and Exploit Database [05-30-2018]
MS09-020 IIS6 WebDAV Unicode Auth Bypass Directory Scanner

Vulnerable Configuration:

Configuration 1:

cpe:/a:microsoft:internet_information_services:5.1:*:*:*:*:*:*:*

AND

cpe:/o:microsoft:windows_xp:-:sp2:*:*:professional:*:-:*

OR cpe:/o:microsoft:windows_xp:-:sp3:*:*:professional:*:-:*

Configuration 2:

cpe:/a:microsoft:internet_information_services:6.0:*:*:*:*:*:*:*

AND

cpe:/o:microsoft:windows_server_2003:-:sp2:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_server_2003:-:sp2:*:*:*:*:itanium:*

OR cpe:/o:microsoft:windows_server_2003:-:sp2:*:*:*:*:x64:*

OR cpe:/o:microsoft:windows_xp:-:sp2:*:*:professional:*:x64:*

Configuration CCN 1:

cpe:/a:microsoft:internet_information_server:6.0:beta:*:*:*:*:*:*

OR cpe:/a:microsoft:internet_information_server:5.0:*:*:*:far_east:*:*:*

OR cpe:/a:microsoft:internet_information_services:5.1:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:xp:sp3:professional:*:*:*:*:*

AND

cpe:/o:microsoft:windows_2000::sp4:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp::sp2:~~professional~~~:*:*:*:*:*

OR cpe:/o:microsoft:windows:server_2003:sp2:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:server_2003:sp2:itanium:*:*:*:*:*

OR cpe:/o:microsoft:windows:server_2003:sp2:x64:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp::sp2:x64:*:professional:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:6029	V	IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability	2009-07-21