Re: Article on WebDAV Vulnerability (MS03-007)

From: aladin (aladin168@hotmail.com)
Date: 03/25/03


From: aladin168@hotmail.com (aladin)
Date: 25 Mar 2003 10:39:56 -0800


"Karl Levinson [x y] mvp" <levinson_k@excite.com> wrote in message news:<#X4lw1k8CHA.2040@TK2MSFTNGP10.phx.gbl>...
> "aladin" <aladin168@hotmail.com> wrote in message
> news:bf0f8e77.0303240937.59259546@posting.google.com...
> > KLC Consulting has published an article on the MS03-007 WebDAV
> > Vulnerability, which includes detection and mitigation
> > recommendations. This article consolidates many experts' inputs and
> > discussions. The URL is:
> > http://www.klcconsulting.net/articles/webdav/webdav_vuln.htm
>
> Yes, yes, it's true that the patch is "the only way to be secure from this."
> However, IMHO some sources were too quick to remove and discount using
> URLScan and other tools IN ADDITION to the patch. The reason why the Army
> servers were hacked was they were relying on patches for security and not
> using URLScan, which would have prevented this compromise and other future
> IIS compromises. I hope those people got the message about the usefulness
> of ALSO using URLScan in addition to patching before the NTBugTraq FAQ on
> this was taken down.
>
> RE: the reference to ISS for signatures to detect this exploit, ISS does not
> disclose their IDS signatures to anyone, not even their customers, much to
> the dismay of their customers. Also, I understand that ISS recently forced
> all their SiteProtector IDS customers to upgrade to the brand new
> SiteProtector 2.0 by immediately ceasing to produce new signatures for the
> previous version with zero overlap... even though it had just emerged from
> beta and still has bugs. I suppose their article is still useful for
> generally understanding this exploit, but unless I'm wrong, they're probably
> not ever going to be a useful place to get IDS signatures.

I agree with you there. I think URLScan and IISLockdown tools should
use in addition to the patch from Microsoft to prevent WebDAV and
other known IIS attacks. With the WebDAV patch alone, it only protect
systems from WebDAV vulnerabilities.

In terms of the signatures, if you know the attacks/exploits, then you
can create a set of signature for your IDS systems. All the WebDAV
commands that can query or pass characters to the servers have this
vulnerability, i.e. POST, SEARCH, ...

If you use Nessus, there is a detection rule from the Nessus website.
The URL is listed in "Detection" section of the KLC's article:
http://www.klcconsulting.net/articles/webdav/webdav_vuln.htm

One version of exploit is at ftp://ftp.netsys.com/len/iis_txt.c, where
it used "POST" command to test. However, as I mentioned earlier,
other commands can achieve the similar attacks.

Therefore, apply the patch from Microsoft ASAP.

Cheers,
/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
klai@klcconsulting.net
http://www.klcconsulting.net



Relevant Pages

  • Re: Article on WebDAV Vulnerability (MS03-007)
    ... >> Vulnerability, ... the reference to ISS for signatures to detect this exploit, ... With the WebDAV patch alone, ... there is a detection rule from the Nessus website. ...
    (microsoft.public.win2000.security)
  • Re: Article on WebDAV Vulnerability (MS03-007)
    ... >> Vulnerability, ... the reference to ISS for signatures to detect this exploit, ... With the WebDAV patch alone, ... there is a detection rule from the Nessus website. ...
    (comp.security.misc)
  • RE: signature based IDS/IPS effectiveness
    ... is depends on how the IDS/IPS approaches the detection of any or all ... If you can configure customized signatures to detect a real vulnerability ...
    (Focus-IDS)
  • RE: VDS FAQ - request for feedback
    ... the ssh server detection and the slammer detection are two different ... In the SSH case, if I understand your signature correctly, you are ... detecting the existence of an actual vulnerability passively, ... via SSH to the server. ...
    (Focus-IDS)
  • Re: Snort and Nessus Signature
    ... >> information for many of the snort signatures (CVE, BID, descriptions, ... we have found that there can be multiple CVE entries ... > exploitation of a vulnerability not an exploit. ... > bugtraq reference: 1565 ...
    (Focus-IDS)