This morning I heard (from the security-basics mailing list, of all places) that there’s a zero-day vulnerability going around for WebDAV on Windows 2003. I always like a good vulnerability early in the week, so I decided to write an Nmap script to find it! The first open script I found was Metasploit’s, so I had a look at how that works. It was so simple, I didn’t even have to look at the source – a packet capture was enough.
How do I use it?
At a high level, all you need to do is Update Nmap from SVN and run it with the following command:
In more detail…
Obtaining Nmap from SVN
Run the following command:
svn co --username guest --password "" svn://svn.insecure.org/nmap/
Then compile it:
cd nmap ./configure make sudo make install
What if I don't have SVN?
Then you’re doing it the hard way…
- Make sure you're at Nmap 4.85 beta 9 or higher.
- Find the script http.lua. It'll be in a folder called 'nselib'; for example, /usr/local/share/nmap/nselib/http.lua. Replace it with this version.
- In that folder (nselib), there's a directory called 'data'. Put folders.lst in it.
- Go up one directory, and there should be a directory called 'scripts'; for example, /usr/local/share/nmap/scripts. Put http-iis-webdav-vuln.nse in it.
Once you’ve done all that, you’re good to go.
How do I run it?
Running it is as simple as running Nmap itself. Here’s the simplest case:
nmap -sV --script=http-iis-webdav-vuln <target>
Every port running HTTP should be probed, but it’ll take awhile. For a quicker check, try this:
nmap -p80,8080 --script=http-iis-webdav-vuln <target>
But keep in mind that it’ll only check the two most common ports for Web servers.
Finally, if you know the name of a password-protected folder on the system, provide it directly:
nmap -p80,8080 --script=http-iis-webdav-vuln --script-args=webdavfolder=secret <target>
nmap -p80,8080 --script=http-iis-webdav-vuln --script-args=webdavfolder=\"my/folder/secret\" <target>
(note the backslashes – they may not be required in the future)
How accurate is it?
This script relies on finding a password-protected folder, so it won’t be 100% accurate. I have a list of around 850 common folder names, but that definitely won’t find everything.
If you provide a folder name yourself using the webdavfolder argument, you’re going to have a lot more luck. As far as I know, once it has the name of a real password-protected folder, it’s 100% reliable. The trick is finding one.
Unfortunately, there doesn’t appear to be a good way to check if a server has WebDAV enabled. So, there’s no easy check that I know of.
How does it work?
This is the part I like – how does it work?
Well, the answer is simple – it works the same as the Metasploit Auxiliary module. Here’s what it does:
Step 1: Find a password protected folder
I have a great big list of folders from a long time ago. I honestly don’t know where I got it from, but if you created it and want credit, just hit me up. If you created it and you’re pissed off that I stole it.. well, don’t hit me up. :) – But seriously, I don’t want to take away anybody’s credit, so let me know.
Anyway, it checks the error code for each folder. If the error is 404 Not Found or 200 OK, we don’t care. In fact, we care about very little – we’re only looking for one error code: 401 Unauthorized.
Step 2: Exploit it!
After we find a password-protected folder, there’s only one thing left to do: exploit it! This is done by putting a Unicode-encoded string at the beginning of the URL. Thus, “/private” becomes “/%c0%afprivate”. If the error remains 401 Unauthorized, the server is not vulnerable (it may be non-IIS6, or it may not be using WebDAV). If the error becomes 207 Multi-status, we’re vulnerable! That’s it!
The script will list all folders found to be vulnerable.
How do I exploit it for real?
That’s a great question! But, my answer is a cop out right now: I’ll get back to you. I suspect that it’s possible (and easy) to exploit with free tools, such as Paros and the freely available portion of Burp Suite, but I haven’t had a chance to try it out. When I do, I’ll post a new blog!