RE: [Snort-sigs] WebDAV nessus script?

There's a post on NTBugTraq from ARAI Yuu <y.arai@lac.co.jp> that claims LOCK did work. He used a buffer >65000. Joe can you confirm... anyone else?

Would a sig that looks for the commands confirmed and has a dsize parameter be sufficient to catch any exploits? Anyone have any evidence on how much the buffer can handle?

alert tcp any any -> any any (msg:"Possible WebDAV Overrun SEARCH"; content:"SEARCH /"; flow: to_server,established; dsize: >20000;)

alert tcp any any -> any any (msg:"Possible WebDAV Overrun PROPFIND"; content:"PROPFIND /"; flow: to_server,established; dsize: >20000;)

-----Original Message-----
From: Joe Stewart [mailto:jstewart@lurhq.com] Sent: Tuesday, March 18, 2003 3:21 PM
To: PTOBIA@cerner.com
Cc: snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] WebDAV nessus script?

On Tuesday 18 March 2003 02:32 pm, Paul Tobia wrote:

> In unsafe mode it dumps "SEARCH /{65535 random overrun chars}
> HTTP/1.1\r\n" onto the server and if it crashes IIS it's vulnerable.
> You can probably use other commands beside SEARCH to exploit the vuln.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related snort.org Links snort-announce snort-cvsinfo snort-devel snort-sigs snort-users Request more information about Pantek

I tested the overflow using a custom script based on the Nessus plugin. I tested overflowing all of the following methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE,
MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH Of these, only PROPFIND and SEARCH seemed to be vulnerable. When run against an unpatched server using either of these methods, the result was:

HTTP/1.1 500 Internal Server Failure
Server: Microsoft-IIS/5.0
Date: Tue, 18 Mar 2003 21:00:07 GMT
Content-Type: text/html
Content-Length: 67

<body><h1>HTTP/1.1 500 Internal Server Error(exception)</h1></body>

IIS did not actually stop running, and there were no exceptions logged in the Win2K event viewer

-Joe

-- 
Joe Stewart, GCIH 
Senior Intrusion Analyst
LURHQ Corporation
http://www.lurhq.com/

CONFIDENTIALITY NOTICE

This message and any included attachments
are from Cerner Corporation and are intended
only for the addressee. The information
contained in this message is confidential and
may constitute inside or non-public information
under international, federal, or state
securities laws. Unauthorized forwarding,
printing, copying, distribution, or use of such
information is strictly prohibited and may be
unlawful. If you are not the addressee, please
promptly delete this message and notify the
sender of the delivery error by e-mail or you
may call Cerner's corporate offices in Kansas
City, Missouri, U.S.A at (+1) (816)221-1024.
---------------------------------------- --


-------------------------------------------------------
This SF.net email is sponsored by: Does your code think in ink? 
You could win a Tablet PC. Get a free Tablet PC hat just for playing. 
What are you waiting for?
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs