Saiu recentemente uma falha que permiter a elevação de privilegio ou simplesmente um bypass na autenticação do Webdav como o Bruno Gonçalves fez um otimo post no seu BLOG http://g0thacked.wordpress.com/2009/05/15/0day-bypassing-remote-webdav-auth-iis-6-0/ .
Muito se comentou da proteção sobre a falha com regras do Snort e o pessoal do Emerging Threats está testando várias opções como a citada abaixo:
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS6.0 WebDav Remote
Auth Bypass - GET METHOD"; content:"Translate:"; nocase;
pcre:"/GET.*%..%.*HTTP/Bi"; pcre:"/Translate: *f/i";
reference:url,isc.sans.org/diary.html?storyid=6397;sid:1000004;
rev:1;)
Sinceramente não testei essa regra e nao sei se o consumo de performance com 2 pcre ira causar.
No site do VRT da Sourcefire simplesmente sugeriram adicionar no pré-processador de http (http_inspect) o monitoramento de ascii ou utf_8 como podem ver em http://vrt-sourcefire.blogspot.com/2009/05/snort-protection-against-iis-60-webdav.html
UPDATE:
O VRT postou a pouco as regras abaixo para detecção:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV COPY remote authentication bypass attempt"; flow:to_server,established; content:"COPY"; http_method; pcre:"/^COPY\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:1; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV PROPFIND remote authentication bypass attempt"; flow:to_server,established; content:"PROPFIND"; http_method; pcre:"/^PROPFIND\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:2; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV PROPPATCH remote authentication bypass attempt"; flow:to_server,established; content:"PROPPATCH"; http_method; pcre:"/^PROPPATCH\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:3; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV MKCOL remote authentication bypass attempt"; flow:to_server,established; content:"MKCOL"; http_method; pcre:"/^MKCOL\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:4; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV MOVE remote authentication bypass attempt"; flow:to_server,established; content:"MOVE"; http_method; pcre:"/^MOVE\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:5; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV LOCK remote authentication bypass attempt"; flow:to_server,established; content:"LOCK"; http_method; pcre:"/^LOCK\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:6; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV UNLOCK remote authentication bypass attempt"; flow:to_server,established; content:"UNLOCK"; http_method; pcre:"/^UNLOCK\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:7; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV DAV remote authentication bypass attempt"; flow:to_server,established; content:"DAV"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:8; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Destination remote authentication bypass attempt"; flow:to_server,established; content:"Destination"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:9; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Depth remote authentication bypass attempt"; flow:to_server,established; content:"Depth"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:10; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV If remote authentication bypass attempt"; flow:to_server,established; content:"If"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:11; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Lock-Token remote authentication bypass attempt"; flow:to_server,established; content:"Lock-Token"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:12; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Overwrite remote authentication bypass attempt"; flow:to_server,established; content:"Overwrite"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:13; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Timeout remote authentication bypass attempt"; flow:to_server,established; content:"Timeout"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:14; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Translate remote authentication bypass attempt"; flow:to_server,established; content:"Translate"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:15; rev:1;)
Sobre o post: http://vrt-sourcefire.blogspot.com/2009/05/rules-to-detect-iis-60-webdav-exploit.html
FIM UPDATE
Mais sobre a falha com excelente explicação em: http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html
Se voce usa IIS com Webdav além do update o monitoramento é muito importante sempre.
Happy Snorting!
Rodrigo Montoro(Sp0oKeR)
Nenhum comentário:
Postar um comentário