The WebClient service runs one RPC service, available on the following endpoint:
Y:\>ifids -p ncacn_np -e "\pipe\DAV RPC SERVICE" \\. Interfaces: 1 c8cb7687-e6d3-11d2-a958-00c04f682e16 v1.0
Table 4.104. davclntrpc operations
| Interface | Operation number | Operation name |
|---|---|---|
| c8cb7687-e6d3-11d2-a958-00c04f682e16 v1.0: davclntrpc | ||
| 0x00 | DavrCreateConnection | |
| 0x01 | DavrDoesServerDoDav | |
| 0x02 | DavrIsValidShare | |
| 0x03 | DavrEnumNetUses | |
| 0x04 | DavrEnumShares | |
| 0x05 | DavrEnumServers | |
| 0x06 | DavrGetConnection | |
| 0x07 | DavrDeleteConnection | |
| 0x08 | DavrGetUser | |
| 0x09 | DavrConnectionExist | |
| 0x0a | DavrWinlogonLogonEvent | |
| 0x0b | DavrWinlogonLogoffEvent | |
| 0x0c | DavrGetDiskSpaceUsage | |
| 0x0d | DavrFreeUsedDiskSpace | |
| 0x0e | DavrGetTheLockOwnerOfTheFile |
In February 2006, a security vulnerability discovered by Kostya Kortchinsky was fixed by Microsoft in the MS06-008 security bulletin [47]. It can be exploited (with valid user credentials) using the DavrCreateConnection operation (opnum 0) of the davclntrpc interface.