Exploiting Put Method | Asfiya Shaikh

Seems like a boring topic? But mind you, its NOT!

An attacker could get a local or root shell on the system using publicly accessible put method also known as one of Webdav method.

WebDAV is a term given to a collection of HTTP methods.HTTP requests can use a range of methods other than the standard GET and POST methods.

WebDAV can be used to manipulate files on the web server. Given the nature of the functionality, if these are accessible by low-privileged users, they may provide an effective avenue for attacking an application.

Aahh… the bookish things … lets explore more

Here are some methods to look for:
- PUT uploads the attached file to the specified location.
- DELETE deletes the specified resource.
- COPY copies the specified resource to the location given in the Destination
header.
- MOVE moves the specified resource to the location given in the Destination
header.
- SEARCH searches a directory path for resources.
- PROPFIND retrieves information about the specified resource, such as
author, size, and content type.

Okay … explained it on a big note … Lets check how we can actually perform the attack.

We can use the OPTIONS method to list the HTTP methods that are permitted in a particular directory.

This response indicates that several of the powerful methods listed previously
are in fact allowed.However we will be looking at exploiting put method.

The PUT method is particularly dangerous. If you upload arbitrary files within
the web root, the first target is to create a backdoor script on the server that will be executed by a server-side module, thereby giving the attacker full control of the application, and often the web server itself.

If the PUT method appears to be present and enabled,application will respond with 201 created response as shown in below Exhibit.

you may receive 405 status code if you attempt to use the PUT method where it is not supported. 405 Method Not Allowed indicates that the method used in the request is not supported for the specified URL.

We can even upload reverse shell directly instead of backdoor as shown in below Exhibit.

Note that permissions are likely to be implemented per directory, so recursive checking is required in an attack. Tools such as DAVTest can be used to iteratively check all directories on the server for the PUT method.

Observe the difference between below tests.

Image courtesy — https://tools.kali.org/web-applications/davtest

As http://192.168.1.209/ has put method enabled, it shows different response than http://mdsec.net/public which has disabled put method access.

Also note that For WebDAV instances where end users are permitted to upload files, it is relatively common for uploading server-side scripting language extensions specific to that server’s environment to be forbidden. The ability to upload HTML or JAR files is much more likely, and both of these allow attacks against other users to be conducted.

Huhhh…. too much of information … lets summarize the testing steps to be followed -

a. Attempt to use the PUT method to upload a benign file
b. If this is successful, try uploading a backdoor script using PUT.
c. If the necessary extension for the backdoor to operate is being
blocked, try uploading the file with a .txt extension and using the
MOVE method to move it to a file with a new extension.(If MOVE doesn’t work try COPY method)
d. If any of the preceding methods fails, try uploading a JAR file, or a file
with contents that a browser will render as HTML.
e. Recursively step through all the directories using a tool such as
davtest.

Remediation

Only GET and POST HTTP methods should be allowed and other unused methods should be blocked. If required these extra methods should only be enabled with credentials and public access denied.

References

http://stackoverflow.com/questions/320959/disabling-put-trace-delete-request-in-apache-tomcat-6-0 
https://forums.asp.net/t/1703115.aspx?Disable+http+OPTIONS+method 
http://stackoverflow.com/questions/320959/disabling-put-trace-delete-request-in-apache-tomcat-6-0