Tuesday, May 19, 2009

Snort protection against IIS 6.0 WebDAV exploit

Microsoft Security Advisory (971491) published on May 18, 2009 concerns a vulnerability in IIS that may allow unauthorized access to an area of a website that would normally be protected.

An attack against IIS 6.0 with WebDAV enabled was published at milw0rm (http://www.milw0rm.com/exploits/8704).

Snort already has coverage for this vulnerability by using the http_inspect preprocessor. In order to detect attacks, make sure that ascii yes or utf_8 yes is added to your configuration.

For example:

preprocessor http_inspect_server: server default \
ports { 80 8080 } \
server_flow_depth 0 \
ascii yes \ # or “utf_8 yes”
double_decode yes \
non_rfc_char { 0x00 } \
chunk_length 500000 \
non_strict \
oversize_dir_length 300


It is also possible to detect this activity using rules, if there is sufficient interest, let us know and we'll post them here.

No comments:

Post a Comment