Hi All,
Here's a first cut test for todays IIS WebDAV hole. It simply checks for
an IIS 5.0 server that has WebDAV enabled.
Cheers
Rich.
#
# Script that determines if IIS 5.0 with WebDAV enabled, is running on
# a remote machine. This test will false-positive on boxes that are running
# IIS with WebDAV, but have patched the vulnerability.
#
if(description)
{
script_id(88888);
script_version ("$Revision$");
script_cve_id("CAN-2003-0109");
script_name( english:"IIS WebDAV buffer overrun" );
script_description(english:"
The remote IIS server appears to be a version that is vulnerable to a
buffer overrun when a malicious WebDAV request is sent.
Solution: Disable WebDAV or patch the server.
Risk Factory: Critical
");
script_summary(english:"Tests the remote IIS server for WebDAV support");
script_category(ACT_ATTACK);
# Dependencie(s)
script_dependencie("find_service.nes", "http_version.nasl");
# Family
family["english"] = "Denial of Service";
script_family(english:family["english"]);
# Copyright
script_copyright(english:"Author Richard Moore richat_private, Copyright (C) 2003 Westpoint Ltd");
script_require_ports("Services/www", 80);
script_require_keys("www/iis");
exit(0);
}
port = get_kb_item("Services/www");
if(!port)port = 80;
if(get_port_state(port))
{
soc = open_sock_tcp(port);
if(!soc)exit(0);
req = string("PROPFIND / HTTP/1.1\r\n",
"Host: ", get_host_name(), "\r\n",
"\r\n");
send(socket:soc, data:req);
r = recv(socket:soc, length:4096);
close(soc);
# Is this an IIS 5.0 machine?
if ( ereg(string:r, pattern:"Microsoft-IIS/5.0") ) {
# Is this IIS 5.0 box running WebDAV?
if ( ereg(string:r, pattern:"^HTTP.*411") ) {
security_hole(port);
}
}
}
This archive was generated by hypermail 2b30 : Tue Mar 18 2003 - 06:55:28 PST