Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

IIS admins, help finding WebDAV remotely using nmap

Published: 2009-05-24
Last Updated: 2009-05-24 05:47:47 UTC
by Raul Siles (Version: 2)
0 comment(s)

If you are concerned about the recent unpatched IIS 6.0 WebDav Remote Auth Bypass vulnerability (CVE-2009-1535), you will be interested on detecting if you are running WebDAV and if you are vulnerable. You can do that locally or remotelly. I can identify scenarios were both methods are useful to audit internal or external web servers.

For local testing, please follow Adrien's diary from a couple of days ago.

For remote testing you can use our good friend nmap, and a new NSE script (http-iis-webdav-vuln) by Ron Bowes and Andrew Orr. I've been using it on a recent penetration test, but it can be equally used in your vulnerability assessments and pre-incident handling tasks following two easy steps:

  • Download/Update & compile nmap from the SVN repository:
$ svn co --username guest --password "" svn://svn.insecure.org/nmap/
$ cd nmap
$ ./configure
$ make
$ sudo make install
  • Run the script just against your IIS web servers (specify the web server port accordingly, "-p" option):
$ nmap -n -PN -p80 --script=http-iis-webdav-vuln <target_web_server.domain.com>
  • The script doesn't work directly against HTTPS web servers. Therefore, you need to make use of the nmap's service detection capabilities ("-sV") to make it work:
$ nmap -n -PN -sV -p443 --script=http-iis-webdav-vuln <target_web_server.domain.com>

 

This NSE script launches a kind of dictionary attack, searching for potential web server folders. If you want to avoid it, because you just want to test an existing specific folder or subfolder, use the "--script-args=webdavfolder=<PATH>" option to specify it (all in one line):

$ nmap -n -PN -p80 --script=http-iis-webdav-vuln 
  --script-args=webdavfolder="protected/webdav/folder/" <target_web_server.domain.com>

This is a listing of the most common output you can get:

  • WebDAV is disabled on a HTTP server:
80/tcp open  http
|_ http-iis-webdav-vuln: WebDAV is DISABLED. Server is not currently vulnerable.

  • WebDAV is disabled on a HTTPS server:
443/tcp open  ssl/http Microsoft IIS webserver 6.0
|_ http-iis-webdav-vuln: WebDAV is DISABLED. Server is not currently vulnerable.
Service Info: OS: Windows

  • WebDAV is enabled on a HTTP server, but no folder was found:
80/tcp open  http
|_ http-iis-webdav-vuln: WebDAV is ENABLED. No protected folder found; check not run. 
If you know a protected folder, add --script-args=webdavfolder=<path>

  • WebDAV is enabled on a HTTP server, but the specified folder is not vulnerable:
80/tcp open  http
|_ http-iis-webdav-vuln: WebDAV is ENABLED. Could not determine vulnerability of folder: 
/protected/webdav/folder

  • WebDAV is enabled on a HTTP server, and vulnerable folders were found:
80/tcp open  http
|_ http-iis-webdav-vuln: WebDAV is ENABLED. Vulnerable folders discovered: /secret, /webdav

 

Please, audit ALL your web servers before anybody else does! ... and don't forget to look at your web server logs to check if someone is already testing it!

--
Raul Siles
www.raulsiles.com

Keywords: iis iis webdav nmap
0 comment(s)
Diary Archives