Tuesday, May 19, 2009

Snort protection against IIS 6.0 WebDAV exploit

Microsoft Security Advisory (971491) published on May 18, 2009 concerns a vulnerability in IIS that may allow unauthorized access to an area of a website that would normally be protected.

An attack against IIS 6.0 with WebDAV enabled was published at milw0rm (http://www.milw0rm.com/exploits/8704).

Snort already has coverage for this vulnerability by using the http_inspect preprocessor. In order to detect attacks, make sure that ascii yes or utf_8 yes is added to your configuration.

For example:

preprocessor http_inspect_server: server default \
    ports { 80 8080 } \
    server_flow_depth 0 \
    ascii yes \ # or “utf_8 yes”
    double_decode yes \
    non_rfc_char { 0x00 } \
    chunk_length 500000 \
    non_strict \
    oversize_dir_length 300


It is also possible to detect this activity using rules, if there is sufficient interest, let us know and we'll post them here.
Add to Technorati Favorites Digg! This
Posted by Monica Sojeong Hong at 5:19 PM
Labels: , , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)