Www.2cto.com:It's an article from.
1. design purpose of Webdav;Webdav is designed for collaborative WEB development and management.2. Configure Webdav in IIS;IIS4 does not implement Webdav. IIS5 has built in Webdav. Unlike normal scripts, IIS provides a shot configuration interface. Therefore, configuration cannot be performed through the interface provided by IIS.3. Implement Webdav in IIS;IIS implements Webdav by using the CGI and ISAPI interfaces. However, because it does not adopt the method of shadow, the main program of IIS is w3svc. the dll itself contains the Webdav information. After identifying the Webdav request, it calls the Webdav processing module httpext. dll. For common request methods such as "GET", "HEAD", and "POST", because some common mappings are supported, the request method cannot be used as the Webdav request judgment, w3svc. dll is identified based on the request header field. If the request header contains one of "Translate:", "If:", and "Lock-Token:", it is considered as a Webdav request. "Translate:" is a request header for the leaked source code of "Translate: f". In fact, the same is true for the other two. Many IDS may not have this knowledge. . IIS does not record the "TRACK" request, which can be used to obtain the banner. IIS is better than the "HEAD" that everyone is used ". If the preceding request method does not match, w3svc. dll considers it a Webdav request and submits it to httpext. dll for processing. These requests include "PROPFIND", "PROPPATCH", "MKCOL", "DELETE", "PUT", "COPY", "MOVE", "LOCK", and "UNLOCK" supported by Webdav..4. WEBDAV Security Vulnerabilities in IIS;1 ,...;....... 2. DoS Vulnerability. WEBDAV determines the file type of the request when processing the request, because the content of the script file cannot be returned directly through WEBDAV. WEBDAV determines the file type of the request. It first searches for ". "Then match the script, if not match, continue searching". obviously, the algorithm for determining the file type is too inefficient. If "." exists in a large number of requests, the CPU usage will reach 100%. After several or even ten minutes, the system will return to normal. 3. The source code vulnerability is leaked. WEBDAV can return the content of the file if it determines that it is not a request script file. However, the file operation API in WINDOWS has a file name truncation problem, so you can use this file truncation feature to add a long string after a script file in a normal request, let WEBDAV determine that it is not a requested script file, but when calling the WINDOWS file operation API, it just truncates the strings that are entered later to open the script file we need and return the content. 4. Buffer Overflow Vulnerability. WEBDAV file operations call windows w-Form file operation APIs. These APIs have buffer overflow under WIN2000, therefore, you can use WEBDAV to call these overflow APIs for buffer overflow attacks. This vulnerability is caused by widechar overflow, so can I exploit it by referring to my article widechar string buffer overflow attack technology http://security.nsfocus.com/showQueryL.asp? LibID = 646.5. Security Configuration;1. Install Microsoft's security reinforcement tool Urlscan. The default installation of Urlscan shields the Webdav function. For Urlscan configuration, see: "reinforce website security with Microsoft Security Tools" http://magazine.nsfocus.com/detail.asp? Id = 1128. In the default settings, [AllowVerbs] GETHEADPOST [DenyVerbs] PROPFINDPROPPATCHMKCOLDELETEPUTCOPYMOVELOCKUNLOCK limits Webdav's "GET", "HEAD", and "POST" request methods. In these requests, any of the three headers in the Request Header must be [DenyHeaders] Translate: If: Lock-Token: restricted. 2. Restrict Access To httpext. dll. In fact, it is also a flexible way to shield Webdav functions.6. Sample of urlscan. ini, the default configuration file of urlscan.
[options]UseAllowVerbs=1 ; if 1, use [AllowVerbs] section, else use[DenyVerbs] sectionUseAllowExtensions=0 ; if 1, use [AllowExtensions] section, elseuse [DenyExtensions] sectionNormalizeUrlBeforeScan=1 ; if 1, canonicalize URL before processingVerifyNormalization=1 ; if 1, canonicalize URL twice and rejectrequest if a change occursAllowHighBitCharacters=1 ; if 1, allow high bit (ie. UTF8 or MBCS)characters in URLAllowDotInPath=0 ; if 1, allow dots that are not fileextensionsRemoveServerHeader=0 ; if 1, remove "Server" header from responseEnableLogging=1 ; if 1, log UrlScan activityPerProcessLogging=0 ; if 1, the UrlScan.log filename will containa PID (ie. UrlScan.123.log)AllowLateScanning=0 ; if 1, then UrlScan will load as a lowpriority filter.; If RemoveServerHeader is 0, then AlternateServerName can be; used to specify a replacement for IIS's built in 'Server' headerAlternateServerName=[AllowVerbs];; The verbs (aka HTTP methods) listed here are those commonly; processed by a typical IIS server.;; Note that these entries are effective if "UseAllowVerbs=1"; is set in the [Options] section above.;GETHEADPOST;OPTIONS ; FrontPage Server Extensions requires OPTIONS. If you need toenable ; it, uncomment the OPTIONS verb and set "AllowLateScanning=1" inthe ; [Options] section above. Additionally, after changing this fileand ; restarting the web service, you should go to the "ISAPI Filters"tab ; for the server's properties in MMC and ensure that UrlScan islisted ; lower than fpexedll.dll.[DenyVerbs];; The verbs (aka HTTP methods) listed here are used for publishing; content to an IIS server via WebDAV.;; Note that these entries are effective if "UseAllowVerbs=0"; is set in the [Options] section above.;PROPFINDPROPPATCHMKCOLDELETEPUTCOPYMOVELOCKUNLOCK[DenyHeaders];; The following request headers alter processing of a; request by causing the server to process the request; as if it were intended to be a WebDAV request, instead; of a request to retrieve a resource.;Translate:If:Lock-Token:[AllowExtensions];; Extensions listed here are commonly used on a typical IIS server.;; Note that these entries are effective if "UseAllowExtensions=1"; is set in the [Options] section above.;.asp.htm.html.txt.jpg.jpeg.gif[DenyExtensions];; Extensions listed here either run code directly on the server,; are processed as scripts, or are static files that are; generally not intended to be served out.;; Note that these entries are effective if "UseAllowExtensions=0"; is set in the [Options] section above.;; Also note that ASP scripts are allowed to run with the below; settings. If you wish to prevent ASP from running, add the; following extensions to this list:; .asp; .cer; .cdx; .asa;; Executables that run on the server.exe.bat.cmd.com; Infrequently used scripts.htw ; Maps to webhits.dll, part of Index Server.ida ; Maps to idq.dll, part of Index Server.idq ; Maps to idq.dll, part of Index Server.htr ; Maps to ism.dll, a legacy administrative tool.idc ; Maps to httpodbc.dll, a legacy database access tool.shtm ; Maps to ssinc.dll, for Server Side Includes.shtml ; Maps to ssinc.dll, for Server Side Includes.stm ; Maps to ssinc.dll, for Server Side Includes.printer ; Maps to msw3prt.dll, for Internet Printing Services; Various static files.ini ; Configuration files.log ; Log files.pol ; Policy files.dat ; Configuration files[DenyUrlSequences].. ; Don't allow directory traversals./ ; Don't allow trailing dot on a directory name\ ; Don't allow backslashes in URL: ; Don't allow alternate stream access% ; Don't allow escaping after normalization& ; Don't allow multiple CGI processes to run on a single request