'[WEB SECURITY] WebTuff - IIS 6.0 WebDAV Authentication Bypass Exploit in Python'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       websecurity
Subject:    [WEB SECURITY] WebTuff - IIS 6.0 WebDAV Authentication Bypass Exploit in Python
From:       Raviv Raz <ravivr () gmail ! com>
Date:       2009-05-24 15:52:50
Message-ID: 2012bcf0905240852td0f38cfgff2adbc58b6b160e () mail ! gmail ! com
[Download RAW message or body]

Well, I must admit we all missed it. Just when we thought it was over, it's
making a come back:
IIS 6.0 once again shows leaks in its input validation. I know most of you
probably got to this page because you just want to download the script
kiddie tool. So to cut a long story short,
when using WebDAV commands against an IIS 6.0 server with the WebDAV
extension installed and enabled, cutting the URI path in the middle and
inserting these control characters:

%c0%af

allows a quick and easy bypass of the access control list applied upon the
WebDAV exposed web folders.
This can definitely lead under some circumstances to:

   - web shell upload - creating a backdoor
   - website defacement
   - passwords and sensitive information theft
   - local execution of uploaded malicious code

Here is what Microsoft has to say about that:

http://www.microsoft.com/technet/security/advisory/971492.mspx

The following WebTuff utility is a proof of concept that performs the
following actions:


   1. Try to retrieve the file at the given URI using a simple WebDAV GET
   command
   2. Try to retrieve the file at the given URI using a simple WebDAV GET
   command, and the assistance of our friends %c0 and %af in the middle of the
   URI
   3. Save the retrieved file locally and / or report server response

You may download WebTuff at the following location:

http://www.sn3akers.com

[Attachment #3 (text/html)]

<div dir="ltr">Well, I must admit we all missed it. Just when we thought it was over, \
it&#39;s making a come back:<br>IIS 6.0 once again shows leaks in its input \
validation. I know most of you probably got to this page because you just want to \
download the script kiddie tool. So to cut a long story short,<br>when using WebDAV
commands against an IIS 6.0 server with the WebDAV extension installed
and enabled, cutting the URI path in the middle and inserting these
control characters:<br><br>%c0%af<br><br>allows a quick and easy bypass of the access \
control list applied upon the WebDAV exposed web folders.<br>This can definitely lead \
under some circumstances to:<br><ul><li>web shell upload - creating a backdoor</li> \
<li>website defacement</li><li>passwords and sensitive information \
theft</li><li>local execution of uploaded malicious code<br></li></ul>Here is what \
Microsoft has to say about that:<br><br><a \
href="http://www.microsoft.com/technet/security/advisory/971492.mspx">http://www.microsoft.com/technet/security/advisory/971492.mspx</a><br>
 <br>The following WebTuff utility is a proof of concept that performs the following \
actions:<br><br><ol><li>Try to retrieve the file at the given URI using a simple \
WebDAV GET command</li><li>Try to retrieve the file at the given URI using a simple \
WebDAV GET command, and the assistance of our friends %c0 and %af in the middle of
the URI</li><li>Save the retrieved file locally and / or report server \
response</li></ol>You may download WebTuff at the following location:<br><br><a \
href="http://www.sn3akers.com/">http://www.sn3akers.com</a></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic