Tuesday, May 19, 2009

Snort protection against IIS 6.0 WebDAV exploit

Microsoft Security Advisory (971491) published on May 18, 2009 concerns a vulnerability in IIS that may allow unauthorized access to an area of a website that would normally be protected.

An attack against IIS 6.0 with WebDAV enabled was published at milw0rm (http://www.milw0rm.com/exploits/8704).

Snort already has coverage for this vulnerability by using the http_inspect preprocessor. In order to detect attacks, make sure that ascii yes or utf_8 yes is added to your configuration.

For example:

preprocessor http_inspect_server: server default \
    ports { 80 8080 } \
    server_flow_depth 0 \
    ascii yes \ # or “utf_8 yes”
    double_decode yes \
    non_rfc_char { 0x00 } \
    chunk_length 500000 \
    non_strict \
    oversize_dir_length 300


It is also possible to detect this activity using rules, if there is sufficient interest, let us know and we'll post them here.
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)