[9064] in bugtraq
MS IIS 4.0 Security Advisory
daemon@ATHENA.MIT.EDU (mnemonix)
Fri Jan 15 02:04:31 1999
Date: Thu, 14 Jan 1999 08:25:28 -0000
Reply-To: mnemonix <mnemonix@GLOBALNET.CO.UK>
From: mnemonix <mnemonix@GLOBALNET.CO.UK>
X-To: ntbugtraq@listserv.ntbugtraq.com
To: BUGTRAQ@NETSPACE.ORG
This advisory is for those that upgraged to IIS 4 from IIS 2 or 3.
Microsoft's IIS 4 limits Web-based administration to the loopback address
(127.0.0.1) by default as a security measure. However, a relict left over
from IIS 2 and 3, ism.dll left in the /scripts/iisadmin directory, allows
users / attackers to access the previous ISAPI application used for remote
web-based administration from an non-loopback IP address. On accessing a
URL similar to the following
http://www.server.com/scripts/iisadmin/ism.dll?http/dir
a user will be prompted for a UserID and password and if successful
authentication takes place they are given access to sensitive server
information. Note however, that changes can no longer be made with this
application. It does however provide an attacker with a means to brute
force / guess the Administrators password and if successful an enormous
amount of reconnaisance work can be achieved through the application's use.
This application is now rundundant and can be removed. It plays no part in
IIS 4's Web-based administration.
Added to this if IIS 4 is installed from the NT Option Pack and Frontpage
Server Extentions are installed too, the fpcount.exe utility found in the
/_vti_bin/ contains an exploitable buffer overrun. I advised on this last
year and MS produced an updated version in FPServer Extentions 98 which can
be downloaded from the MS website.
Cheers,
David Litchfield
http://www.infowar.co.uk/mnemonix/
