XNUXER.OR.ID

Detecting if WebDAV is enabled

Tested working on
* IIS 6.0/Windows 2003 Enterprise SP2
* IIS 5.1/Windows XP Pro SP2
* IIS 5.0/Windows 2000 SP4

On IIS 6.0, WebDAV is disabled by default. On IIS 5.0 and 5.1, WebDAV is enabled by default and you must edit the registry to disable it.

My method of detection simply involves running a PROPFIND request on the server. This is the same basic PROPFIND request we used in the http-iis-webdav-vuln.nse script:

PROPFIND / HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Type: application/xml
Content-Length: 298

<?xml version="1.0" encoding="utf-8"?>
<propfind xmlns="DAV:">
<prop>
<getcontentlength xmlns="DAV:"/>
<getlastmodified xmlns="DAV:"/>
<executable xmlns="http://apache.org/dav/props/"/>
<resourcetype xmlns="DAV:"/>
<checked-in xmlns="DAV:"/>
<checked-out xmlns="DAV:"/>
</prop>
</propfind>

This is the method I’ve implemented in the http-iis-webdav-vuln.nse script. It works great in the lab on IIS servers. If we get back anything other than a 207 or 501 then we jump ship saying the web server is not supported. An Ubuntu server running Apache returns a 405 Method Not Allowed for instance.

Checking if a server is vulnerable

Tested working on
* IIS 6.0/Windows 2003 Enterprise SP2
* IIS 5.1/Windows XP Pro SP2

Tested not working on
* IIS 5.0/Windows 2000 SP4

The original script only used one type of check; it would first find a protected folder (/secret/) and then try inserting the %c0%af character after the first /. It would turn /secret/ into /%c0%afsecret/.

This worked fine on IIS 6.0 but did not work at all on IIS 5.0/5.1. After playing with it some more today, we managed to get it working on IIS 5.1. The trick with 5.1 is that the %c0%af character can not be right after the / but must be somewhere in the middle of the folder name. This also works on IIS 6.0. I modified the script so that it uses the 5.1/6.0 check, turning /secret/ into /s%c0%afecret/.

Finding a vulnerable server

Tested working on
* IIS 6.0/Windows 2003 Enterprise SP2
* IIS 5.1/Windows XP Pro SP2

Tested not working on
* IIS 5.0/Windows 2000 SP4

Now for the fun part. If you havent turned on some funky cold medina yet, get to it because we’re almost done!

First thing we need to do is find a vulnerable server. I just happen to know of a Windows 2003 box in my lab running IIS 6.0 that is vulnerable (fully patched up to today btw). Lets see how an nmap scan of this box with the updated script works out:

> ./nmap -T4 -p80 --script=http-iis-webdav-vuln xxx.xxx.xxx.xxx

Starting Nmap 4.85BETA9 ( http://nmap.org ) at 2009-05-20 14:29 CDT
Interesting ports on xxx.xxx.xxx.xxx:
PORT   STATE SERVICE
80/tcp open  http
|_ http-iis-webdav-vuln: WebDAV is ENABLED. Vulnerable folders 
discovered: /private, /secret, /webdav

Nmap done: 1 IP address (1 host up) scanned in 21.41 seconds

So now we know the server has WebDAV enabled and that there are three vulnerable folders. Thanks to SkullSecurity.