Playing minesweeper with IIS permissions
Some days ago Microsoft published and advisory about a new vulnerability in IIS. This vulnerability allows bypassing the authentication of Webdav directories. By exploiting this vulnerability an attacker can read files inside those directories, even if they are password protected.
Soon appears an entry in the Microsoft SRD (Security Research & Defense) blog telling the vulnerability only happens under some circumstances and it’s not present in the default configuration. That makes me remember some common situations found at S21sec when we are auditing IIS servers.
In theory the default IIS configuration is secure but a lot of administrators, by need or by curiosity, modify this configuration. And then we enter in a dangerous field. We have to take special care with the configuration of directory permissions. As we can see in this tab:
• Script source access:
If we check this option, we permit the source code of the ASP scripts to be downloaded by using the GET method of HTTP and the infamous “Translate: f” header. For example:
With this option we allow the upload of files to the server (if the NTFS permissions also allow it) by using the PUT method of HTTP.
This option allows listing the directory for viewing the files inside by using the PROPFIND method of HTTP. The output is XML, but we can easily see the names of the listed files.
This last option also allows to use the SEARCH method of HTTP for listing the directory (the “directory browsing” option must also be checked).
Ramon Pinuaga Cascales
Dept. Auditoria S21sec