Man I love mis-configured WebDAV, I have put a foot in many a network's ass with a writable WebDAV server. Like the browsable directories thing, its *usually* not writable, but it occurs often enough that you really have to make sure you check it each time you see it.
LOW?
IIS5 is awesome (not) because WebDAV is enabled by default but web root is not writable. Wait who still runs Windows 2000?! i know i know app cant be rewritten...accepted risk...blah blah...no one will ever use this to pwn my network...its ok if that DA admin script logs into it daily....
The "game" is finding the writable directory (if one exists) on the WebDAV enabled server.
*Dirbusting and ruby FTW*
I find that its usually NOT the web root, so honestly it can be a challenge to find the writable directory. VA scanners can help, Nessus will actually tell you methods allowed per directory...still a challenge though.
Once you have a directory you want to test you can use cadaver to manually test, davtest, or Ryan Linn's metasploit module for testing for WebDAV.
I've also done some posts on webDAV in the past
http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.html
http://carnal0wnage.attackresearch.com/2007/08/creating-http-options-auxiliary-module.html
hdm had done a post on it in the past in relation to the asp payload, i cant find it on the R7 site but its mirrored here: http://meta-sploit.blogspot.com/2010/01/exploiting-microsoft-iis-with.html
Decent writeup here:
http://www.ubersec.com/downloads/WEBDAV_Exploit_example.pdf
HTTP PUT
HTTP PUT/SEARCH usually gets rolled into
Web scanners are better about alerting on PUT as an available method and most will attempt the PUT for you. I don't think any vuln scanners do, i'm sure someone will correct me if i'm wrong.
Writable HTTP PUT is rare (least for me) although some friends say they see it all the time.
metasploit has a module to test for PUT functionality as well.
HTTP SEARCH
HTTP SEARCH can be fun. When enabled, will give you a listing of every file in the webroot.
Very interesting, love LOW vulns for Nessus that are, indeed, very serious if you go deep. Always clear and good works, i really read you with pleasure
ReplyDeleteThere is also a (medium impact) 0day hidden in the Athcon presentation.
ReplyDelete/_vti_bin/wacproxy.ashx?redirect=http://192.168.
50.103&spsite=http://www.google.com/_layouts/images/&docT
ype=PP&callbackFunctionName=b
You can do internal network scanning, remote dos and potentially poisoning the DNS (if vulnerable to Kamisky bug)