Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Signature Detail

Security Intelligence Center
Signatures
Print

This site is deprecated. Please CLICK HERE for latest updates

Short Name

 HTTP:IIS:IISADMPWD-PROXY-PASSWD

Severity

 Major

Recommended

 No

Recommended Action

 Drop

Category

 HTTP

Keywords

 IIS 4.0 IISADMPWD Proxied Password

Release Date

 2003/04/22

Update Number

 1213

Supported Platforms

 idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+

HTTP: IIS 4.0 IISADMPWD Proxied Password


This signature detects attempts to exploit a known vulnerability in Microsoft IIS 4.0. A remotely accessible directory contains vulnerable .HTR files that allows network users to change their password using HTTP. Requests for an .htr file returns the account name, current password, and changed password. Users are notified of an unsuccessful password change for an existing account. Attackers can determine existing accounts and send an account name with an IP address and a backslash to cause the Web server to contact a networked machine (using a NetBIOS session port) and attempt to change the account password.

Extended Description

Microsoft IIS is a popular web server package for Windows NT based platforms. Version 4.0 of IIS installs a remotely accessible directory, /IISADMPWD - mapped to c:\winnt\system32\inetsrv\iisadmpwd, which contains a number of vulnerable .HTR files. These were designed to allow system administrators the ability to provide HTTP based password change services to network users. The affected files, achg.htr, aexp*.htr, and anot*.htr can be used in this manner. A microsoft bulletin on the feature recommends using /IISADMPWD/aexp.htr for this purpose. Requesting one of the listed .htr files returns a form that requests the account name, current password, and changed password. This can be used to determine whether or not the account requested exists on the host, as well as conduct brute force attacks. If the account does not exist, the message "invalid domain" is returned - if it does, but the password change was unsuccessful, the attacker is notified. This be used against the server and against other machines connected to the local network (and possibly even other machines on the internet), by preceding the account name with an IP address and a backslash. (e.g., XXX.XXX.XXX.XXX\ACCOUNT) The server contacts the networked machine through the NetBIOS session port and attempts to change the password.

Affected Products

  • Microsoft iis 4.0

References

  • BugTraq: 2110
  • CVE: CVE-1999-0407
  • URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-1999-0407
  • URL: http://support.microsoft.com/default.aspx?scid=kb;[LN];184619
  • URL: http://www.securityspace.com/smysecure/catid.html?ctype=cve&id=CVE-1999-0407

Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out