Apache/WebDAV Defacement Explained

Incident

Date : 03/04/2005 02:24 AM

Type : Web Site Defacement

Analysis Performed by :

Chris Dufalac : dufalac@musc.edu

Matthew Gregg : greggmc@musc.edu

Paul Arrington : arringtp@musc.edu

Exploit

An unauthorized person was able to post 2 html documents to a local MUSC website, due to a misconfiguration in the Apache configuration, allowing unauthenticated WebDav access to the base directory of the web site. The documents included x.htm and index.htm, and were merely used to boast a successful compromise.

Operating System : Mac OS X

Web Server : Apache 1.3.33

Exploit Vector

It is unknown whether this apache misconfiguration was part of the base

install for MacOS X or if the "DAV on" was a manual change made by the site administrator.

- Virtual Host apache Conf file -

/private/etc/httpd/sites/0000_any_80_.conf

<Directory "/Volumes/Mirror/web">
        Options All -Indexes -ExecCGI +MultiViews
        <IfModule mod_dav.c>
                DAV On
        </IfModule>
        AllowOverride None
</Directory>

Detecting a Vulnerable System

Download the tool Cadaver, and attempt

to establish a connection to the target server. It was determine that the WebDav Driving mapping tools was unable to replicate this upload.

shell> cadaver http://yourwebserver.musc.edu

If the above command will allow you to access the root share without a

login/password combination, then you have a vulnerable system.

The Saga

A misconfiguration in a Web Dav share, allowed non-authenticated access

to the root directory of the web server. A defacement hacker identified this misconfiguration and uploaded two defaced web pages to the server.

The Audit Trail

Http Error Codes quick reference

200 = OK

201 = Created

204 = No Content

# Apache Logs indicated files that were overwritten by the defacement hacker

xxx.xxx.xxx.xxx - - [04/Mar/2005:02:24:27 -0500] "PUT /x.htm HTTP/1.0" 201 251
xxx.xxx.xxx.xxx - - [04/Mar/2005:02:24:28 -0500] "GET / HTTP/1.1" 200 11229
xxx.xxx.xxx.xxx - - [04/Mar/2005:02:24:37 -0500] "PUT /x.htm HTTP/1.0" 204 0
xxx.xxx.xxx.xxx - - [04/Mar/2005:02:29:13 -0500] "PUT /index.htm HTTP/1.0" 201 255

Recovery

The web server logs were thoroughly analyzed to determine if any other

web server files may have been overwritten or modified. In addition, the system logs were also checked to determine if any further compromise had been achieved. However, no remote logging was set up for this system, therefore it's possible that the compromise was more serious, and that some evidence was subsequently excised from the local logs by the attacker(s), leaving only the evidence of the simple defacement behind as a cover story

Lessons Learned

1. If the default configuration of apache or MacOS X contains unauthenticated webdav access, then as a first step for configuring the web server, verify that this config option has been disabled, or the appropriate authentication, has been implemented.
2. Always implement remote logging to provide an assurance that your local log trail has not been fabricated or removed.

An example of a secured Dav Configuration to be added in the httpd.conf

DAVLockDB "/var/lock/DAV/DAVLock"
DAVMinTimeout 600

<Location /exampledir>
        DAV On
        Options Indexes Includes ExecCGI
        AllowOverride AuthConfig FileInfo

        AuthType Basic
        AuthName "MNA ID and Password"
        AuthUserFile /full/path/to/psswd/file

        <Limit HEAD GET PROPFIND PROPPATCH>
                require group readgroup
        </Limit>

        <Limit MKCOL PUT DELETE LOCK UNLOCK COPY MOVE PROPPATCH POST
                OPTIONS PROPFIND>
                require group writegroup
        </Limit>
</Location>