Everhart, Glenn
From:	mnemonix [mnemonix@GLOBALNET.CO.UK]
Sent:	Sunday, February 08, 1998 11:36 PM
To:	BUGTRAQ@NETSPACE.ORG
Subject:	ALERT: IIS4 allows proxied password attacks over NetBIOS

Importance:	High
Introduction
Internet Information Server 4.0 has an interesting feature that can allow a
remote attacker to attack user accounts local to the Web Server as well as
other machines across the Internet. Added to this if your Web Server is
behind a firewall performing network address translation, machines on the
clean side of the firewall can be attacked, too.

Details
By default every install of Internet Information Server 4 creates a virtual
directory "/IISADMPWD". This directory contains a number of .htr files.
Anonymous users are allowed access to this files, they are not restricted to
the loopback address (127.0.0.1). The following is a list of files found in
the /IISADMPWD directory, which physically maps to
c:\winnt\system32\inetsrv\iisadmpwd.

achg.htr
aexp.htr
aexp2.htr
aexp2b.htr
aexp3.htr
aexp4.htr
aexp4b.htr
anot.htr
anot3.htr

The files, save for a few, are pretty much variants of the same file and
allow a user to change their password via the Web. This can be used in such
scenarios as mentioned in the Introduction. Not only this but, like the vrfy
command in the SMTP service it can be used to enumerate valid accounts
through guess work. If the user account does not exist a message will be
returned saying,  "invalid domain". If the account exists, but the password
is wrong then the message will say so. If an IP address followed by a
backslash precedes the account name then the IIS server will contact the
remote machine, over the NetBIOS session port, and attempt to change the
user's password. (IPADDRESS\ACNAME)

Mechanics
Consider aexp3.htr. This produces an HTML form requesting the UserID, old
password, new password and confirm new password. The form's action is a POST
to  /_AuthChangeUrl?

/_AuthChangeUrl? is a "virtual file" in memory that actually maps to
achg.htr. W3SVC.dll maintains this in memory and has a function,
AuthChangeUrl( ), which links this to the achg.htr file. (To see this
function make a copy of w3svc.dll, rename it to w3svc.txt and open it in
notepad. If you can't see it straight away use Find from Edit on the
Menubar).

.htr files are handled by ISM.DLL and so control is passed across from
W3SVC.DLL. ISM.DLL then uses the NetUserGetInfo ( ) and
NetUserChangePassword ( ) functions. (Again, open up ism.dll in notepad and
you can see references to these functions.) The password is changed if the
entered information was correct.

If, however, the request is to change a password on a remote machine, the
SYSTEM then logs onto the remote machine through a null session then
establishes a secure session over which to trade the account and password
information.

Solution
If you don't require this service, then remove the /IISADMPWD virtual
directory. This will prevent attackers from "proxing" password attacks. If
you do require the service and only need to change passwords on accounts
local to the server, disabling the Workstation service should prevent this.
If you
require this service and want to be able to change passwords on remote
machines, do your best to limit where NetBIOS based traffic over TCP port
139 can get to.

Cheers,
David Litchfield
http://www.infowar.co.uk/mnemonix/