[NT] NT Users Can Bypass Password Changing Policy via IIS
From: support@securiteam.comDate: 03/09/02
- Previous message: support@securiteam.com: "[NEWS] Denial of Service in SphereServer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sat, 9 Mar 2002 22:18:44 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
NT Users Can Bypass Password Changing Policy via IIS
------------------------------------------------------------------------
SUMMARY
A problem with the way the IIS's Change Password HTR handles change
password requests allows users that their password was "Change Locked"
(not allow the user to change the password) to change it using the
provided interface.
DETAILS
Vulnerable systems:
* Microsoft Windows NT Server 4.0 + IIS 4.0 + Service pack 6.0
Any NT user can bypass the administrator security policy "user cannot
change password" and can change his/her password through web based ".HTR"
application: http://iisserver/iisadmpwd/aexp3.htr . This is possible with
disabled accounts as well.
Enter a valid user id and password, and the new password. This will bypass
the security policy "user can not change password" and the password will
be changed.
The following files can also be used for the same result:
http://iis-server/iisadmpwd/aexp2.htr
http://iis-server/iisadmpwd/aexp2b.htr
http://iis-server/iisadmpwd/aexp4.htr
Vendor response:
"The particular policy you've mentioned, locking users out of changing
Passwords, isn't something that this tool, when developed, was designed to
account for.
Again, though, we want to reiterate that .HTR is a deprecated technology
and we very strongly urge you to unmap .HTR if at all possible. The
preferred method of handling accounts through HTML pages is through the
use of ADSI now. As I noted, we are looking to see if we can provide an
ASP based application to replace the HTR-based application at some point."
Solution:
HTR should be disabled by un-mapping. Avoid using .HTR based password
changing application.
ADDITIONAL INFORMATION
The information has been provided by <mailto:SyedMA@innerframe.com> Syed
Mohamed A.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Denial of Service in SphereServer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
