OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Syed Mohamed A (SyedMAinnerframe.com)
Date: Wed Mar 06 2002 - 03:07:05 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,
    Our PT team found the following vulnerability in security policy
    implementation with NT Server and IIS 4.0.

    NT user (who is locked changing his/her password by administrator) can
    bypass the security policy and Change the password.

    Vulnerable:

    Microsoft Windows NT Server 4.0 + IIS 4.0 + Service pack 6.0

    Description:

    Valid NT user can bypass the administrator security policy "user cannot
    change password" and can change his/her password through web based ".HTR"
    application.

    Valid NT user whose account is locked changing his/her password by
    administrator i.e. (Administrator applied the policy " user cannot change
    password") can still "Change his/her password through IIS Web service
    http://iisserver/iisadmpwd/aexp3.htr ". This is possible with disabled
    accounts also.

    Enter valid user id and password (who can not change his/her password).Enter
    new password. It is by passing the security policy "user can not change
    password" and password got changed.

    The following files can also be used for the same

    http://iis-server/iisadmpwd/aexp2.htr
    http://iis-server/iisadmpwd/aexp2b.htr
    http://iis-server/iisadmpwd/aexp4.htr

    Vendor status

    Microsoft was informed about this.

    Response from Microsoft

            "The particular policy you've mentioned, locking users out of
    changing
    Passwords, isn't something that this tool, when developed, was designed to
    account for.

    Again, though, we want to reiterate that .HTR is a deprecated technology
    and we very strongly urge you to unmap .htr if at all possible. The
    preferred method of handling accounts through HTML pages is through the
    use of ADSI now. As I noted, we are looking to see if we can provide an
    ASP based application to replace the HTR-based application at some
    point."

    Solution

    .HTR should be disabled by unmapping. Avoid using .HTR based password
    changing application.

    Best Regards
                     
    Syed Mohamed A
    Technical Specialist- Technology & Practices
    InnerFrame - The Technology infrastructure services provider
    Division of The Microland Group, India
    www.innerframe.com

    email: syedmainnerframe.com
    Tel: 91-80-5503313 to 18 extn. 153
    Fax: 91-80-5503319
     

    The information transmitted is intended only for the person or entity to
    which it is addressed and may contain confidential and/or privileged
    material. Any review, re-transmission, dissemination or other use of or
    taking of any action in reliance upon, this information by persons or
    entities other than the intended recipient is prohibited. If you received
    this in error, please contact the sender and delete the material from your
    computer.