If you are concerned about the recent IIS 6.0 WebDav Remote Auth Bypass vulnerability, you will be interested on detecting if you are running WebDAV and if you are vulnerable. You can do that locally or remotelly. I can identify scenarios were both methods are useful to audit internal or external web servers.
For local testing, please follow Adrien's diary from a couple of days ago.
For remote testing you can use our good friend nmap, and a new NSE script (http-iis-webdav-vuln) by Ron Bowes. I've been using it on a recent penetration test, but it can be equally used in your vulnerability assessments and pre-incident handling tasks following two easy steps:
$ svn co --username guest --password "" svn://svn.insecure.org/nmap/ $ cd nmap $ ./configure $ make $ sudo make install
$ nmap -n -PN -p80 --script=http-iis-webdav-vuln <target_web_server.domain.com>
$ nmap -n -PN -sV -p443 --script=http-iis-webdav-vuln <target_web_server.domain.com>
This NSE script launches a kind of dictionary attack, searching for potential web server folders. If you want to avoid it, because you just want to test an existing specific folder or subfolder, use the "--script-args=webdavfolder=<PATH>" option to specify it (all in one line):
$ nmap -n -PN -p80 --script=http-iis-webdav-vuln --script-args=webdavfolder="protected/webdav/folder/" <target_web_server.domain.com>
This is a listing of the most common output you can get:
80/tcp open http |_ http-iis-webdav-vuln: WebDAV is DISABLED. Server is not currently vulnerable.
443/tcp open ssl/http Microsoft IIS webserver 6.0 |_ http-iis-webdav-vuln: WebDAV is DISABLED. Server is not currently vulnerable. Service Info: OS: Windows
80/tcp open http |_ http-iis-webdav-vuln: WebDAV is ENABLED. No protected folder found; check not run. If you know a protected folder, add --script-args=webdavfolder=<path>
80/tcp open http |_ http-iis-webdav-vuln: WebDAV is ENABLED. Could not determine vulnerability of folder: /protected/webdav/folder
80/tcp open http |_ http-iis-webdav-vuln: WebDAV is ENABLED. Vulnerable folders discovered: /secret, /webdav
Please, audit ALL your web servers before anybody else does! ... and don't forget to look at your web server logs to check if someone is already testing it!
May 23rd 2009
9 years ago