Whoops.
It would appear that Microsoft has in fact confirmed today that there is a privilege escalation problem with IIS 6.0. Specifically as it affects WEBDAV.
From SC Magazine:
The software giant said in an advisory that it was not aware of any attacks attempting to exploit the bug, which impacts IIS versions 5, 5.1 and 6. However, US-CERT revealed Monday that it was aware of publicly available exploit code and active attacks.
The exploit would work by a cybercriminal creating an anonymous but malicious HTTP request, which can take advantage of a vulnerability in the way the WebDAV (Web-based Distrubuted Authoring and Versioning) extension for IIS handles these requests. WebDAV is a set of HTTP extensions that permits users to manage files on web servers.
I absolutely LOVE phrases like this one from Microsoft, “not aware of any attacks attempting to exploit the bug”. It’s like waving a red cape in front of a bull.
Oh lookie here (milw0rm). Here is a passage from the published exploit proof of concept.
This vulnerability allows remote attackers to bypass access restrictions on vulnerable installations of Internet Information Server 6.0.
The specific flaw exists within the WebDAV functionality of IIS 6.0. The Web Server fails to properly handle unicode tokens when parsing the URI and sending back data.