Nmap Development mailing list archives

Re: General Webdav NSE script and the new IIS6 vulnerability

From: Brandon Enright <bmenrigh () ucsd edu>
Date: Tue, 19 May 2009 20:39:05 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 19 May 2009 21:31:53 +0100
jah <jah () zadkiel plus com> wrote:

On 19/05/2009 21:05, Brandon Enright wrote:

Small world.  I worked on this yesterday but I was not able to come
up with a way to determine if IIS 6 has WebDAV enabled.  Does Kris's
script work on IIS 6?  I gave up after about a hour of playing
curl/ncat on trying to detect if WebDAV is enabled.

I'm playing with the same thing, but haven't got very far.  I find
that the PROPFIND method returns HTTP/1.1 501 Not Implemented if
webdav is set to 'prohibited' and HTTP/1.1 207 Multi-Status if it's
allowed.  I've only tried this on Windows SBS 2003 SP1 so I don't
know at this point whether this is a reliable way to detect whether
webdav is enabled for different IIS builds and configurations.  I
haven't tried Kris's script yet, but intend to if it turns out that
PROPFIND doesn't reliably work.

jah


So I know better than to ask if something works without testing it.  It
seems Kris's script requires the HTTP OPTIONS request to be supported
which on most of the IIS 5 servers I tried returned HTTP 400.  It did
return positive on a few IIS 5 servers that I know are running WebDAV.

Regarding II6, I tried several IIS 6 servers I know are running WebDAV
and they all returned both 0 for WebDAV properties and 0 for DetlaV
properties.

So not to stop there, I modified Kris's script to print out something
for each of the failures.  The "nope # #" is the count of WebDAV
options and DeltaV options respectively.  I only scanned machines I
know are running IIS 6:

      1 |_ webdav: Got bad status: 301
      9 |_ webdav: Got bad status: 302
     42 |_ webdav: Got bad status: 400
     34 |_ webdav: Got bad status: 401
     57 |_ webdav: Got bad status: 403
     45 |_ webdav: Got bad status: 404
    285 |_ webdav: nope 0 0

At least a dozen of these machines are running WebDAV.

The best idea I came up with yesterday was to brute force/crawl to find
protected folders and then check to see if the exploit worked.  I
dismissed this as too slow/unreliable yesterday.

I'd *love* to see a WebDAV script, especially one that checks for this
Unicode authentication bypass.  Anybody have any ideas on how to
reliably check for WebDAV on IIS 6?

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAkoTGPAACgkQqaGPzAsl94Ka4wCgw3br69HWWioFCl9D2OlJMa8Q
JykAn0K418Zzz5RwmxrcHrOZt1NBZ2uR
=50oG
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

General Webdav NSE script and the new IIS6 vulnerability Fyodor (May 19)
- Re: General Webdav NSE script and the new IIS6 vulnerability Brandon Enright (May 19)
  - Re: General Webdav NSE script and the new IIS6 vulnerability jah (May 19)
    - Re: General Webdav NSE script and the new IIS6 vulnerability Brandon Enright (May 19)
- Re: General Webdav NSE script and the new IIS6 vulnerability Kris Katterjohn (May 19)
  - Re: General Webdav NSE script and the new IIS6 vulnerability Gutek (May 20)