Wednesday, May 20, 2009

Rules to detect IIS 6.0 WebDAV exploit

Thanks for the inquiries. Here are rules that detect attacks against IIS 6.0 with WebDAV enabled.

(see yesterdays post for details)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV COPY remote authentication bypass attempt"; flow:to_server,established; content:"COPY"; http_method; pcre:"/^COPY\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:1; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV PROPFIND remote authentication bypass attempt"; flow:to_server,established; content:"PROPFIND"; http_method; pcre:"/^PROPFIND\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:2; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV PROPPATCH remote authentication bypass attempt"; flow:to_server,established; content:"PROPPATCH"; http_method; pcre:"/^PROPPATCH\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:3; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV MKCOL remote authentication bypass attempt"; flow:to_server,established; content:"MKCOL"; http_method; pcre:"/^MKCOL\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:4; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV MOVE remote authentication bypass attempt"; flow:to_server,established; content:"MOVE"; http_method; pcre:"/^MOVE\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:5; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV LOCK remote authentication bypass attempt"; flow:to_server,established; content:"LOCK"; http_method; pcre:"/^LOCK\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:6; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV UNLOCK remote authentication bypass attempt"; flow:to_server,established; content:"UNLOCK"; http_method; pcre:"/^UNLOCK\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:7; rev:1;)


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV DAV remote authentication bypass attempt"; flow:to_server,established; content:"DAV"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:8; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Destination remote authentication bypass attempt"; flow:to_server,established; content:"Destination"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:9; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Depth remote authentication bypass attempt"; flow:to_server,established; content:"Depth"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:10; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV If remote authentication bypass attempt"; flow:to_server,established; content:"If"; http_header;  pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:11; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Lock-Token remote authentication bypass attempt"; flow:to_server,established; content:"Lock-Token"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:12; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Overwrite remote authentication bypass attempt"; flow:to_server,established; content:"Overwrite"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:13; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Timeout remote authentication bypass attempt"; flow:to_server,established; content:"Timeout"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:14; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS Microsoft IIS 6.0 WebDAV Translate remote authentication bypass attempt"; flow:to_server,established; content:"Translate"; http_header; nocase; pcre:"/^[A-Z]+\s+[^\x0a]*?(\x25[89A-F][0-9A-F])/si"; reference:url,www.microsoft.com/technet/security/advisory/971492.mspx; reference:cve,2009-1676; classtype:attempted-user; sid:15; rev:1;)

Note: These rules are covered by the Sourcefire VRT Certified Rules License agreement available here: http://www.snort.org/about_snort/licenses/vrt_license.html

Also, some browsers do not wrap the rules properly but highlight, copy and paste works just fine.
Posted by at
Labels: , ,

3 comments:

  1. AnonymousMay 20, 2009 at 12:08 PM

    Those sids look a little low.

    ReplyDelete
  2. Nigel HoughtonMay 20, 2009 at 1:43 PM

    Those sids should be changed to suit the environment.

    ReplyDelete
  3. Justin ProscoMay 22, 2009 at 4:23 PM

    The "WEB-IIS Microsoft IIS 6.0 WebDAV If remote authentication bypass attempt" has a relatively high false positive rate.

    The "nocase" modifier on the "If" content match causes this signature to alert on headers that are not related to WebDAV.

    Examples:
    "Accept: image/gif"
    "If-Modified-Since:"

    According to MSDN, there should be a colon after the If header for WebDav:
    http://msdn.microsoft.com/en-us/library/aa580816.aspxTo reduce the false positives, and ensure that this is a WebDAV related "if" in the header, the first content match should be "If\:".

    ReplyDelete

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)