Playing minesweeper with IIS permissions

Some days ago Microsoft published and advisory about a new vulnerability in IIS. This vulnerability allows bypassing the authentication of Webdav directories. By exploiting this vulnerability an attacker can read files inside those directories, even if they are password protected.

Soon appears an entry in the Microsoft SRD (Security Research & Defense) blog telling the vulnerability only happens under some circumstances and it’s not present in the default configuration. That makes me remember some common situations found at S21sec when we are auditing IIS servers.

In theory the default IIS configuration is secure but a lot of administrators, by need or by curiosity, modify this configuration. And then we enter in a dangerous field. We have to take special care with the configuration of directory permissions. As we can see in this tab:

This is the default situation. But what happens if we check some of the other options that are unchecked:

• Script source access:

If we check this option, we permit the source code of the ASP scripts to be downloaded by using the GET method of HTTP and the infamous “Translate: f” header. For example:

• Write:

With this option we allow the upload of files to the server (if the NTFS permissions also allow it) by using the PUT method of HTTP.

• Directory browsing:

This option allows listing the directory for viewing the files inside by using the PROPFIND method of HTTP. The output is XML, but we can easily see the names of the listed files.

• Index this resource:

This last option also allows to use the SEARCH method of HTTP for listing the directory (the “directory browsing” option must also be checked).

So we end at the following situation:

Resuming, better don’t touch.

Ramon Pinuaga Cascales
Dept. Auditoria S21sec

Deja un comentario