OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Rain Forest Puppy (rfpvulnwatch.org)
Date: Tue Jan 29 2002 - 22:58:02 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    [ RFP's Note: the Site Server 3.0 SP4 DLLs contain another embedded
    password, apES7DAopqLM_1, but it appears that it is only used on a clean
    installation (which is then overwritten when the service starts). I did
    not mention this in my advisory since it was of no value. Matt makes note
    that the password BpES7DAopqLM_1 is embedded in the same DLLs shipped with
    the ILS LDAP service. The difference is that it doesn't seem that the ILS
    version has been updated to have the password-recreation mechanism. What's
    interesting to note are the two hardcoded passwords, when compared:

    apES7DAopqLM_1 (Site Server 3.0 SP4 DLLs, LDAP_ANONYMOUS)
    BpES7DAopqLM_1 (ILS Server on Win2K, ILS_ANONYMOUS_USER)

    Talk about scary. -- rfp ]

    ---------- Forwarded message ----------
    Date: Tue, 29 Jan 2002 19:55:18 -0800 (PST)
    From: Matt Wilbur <mattefs.org>
    Subject: Re: [VulnWatch] RFP2201: MS Site Server Evilness

    On Tue, 29 Jan 2002, rain forest puppy wrote:
    >
    > --/ a / LDAP_Anonymous account w/ default password
    >
    > The installation of Site Server 3.0 includes the creation of a
    > LDAP_Anonymous user account, which is used by the included LDAP service.
    > Unfortunately the password for this account is set to 'LdapPassword_1'.
    > This password is also hardcoded into two system DLLs as well:
    >
    > \winnt\system32\pNmsrvs.dll
    > \winnt\system32\inetsrv\dscomobj.dll
    >
    > The account is added to the 'Guests' group, and is given the 'Log on
    > locally' privilege. Shimmer actually ran across this during his own
    > hack-fest. He also noted that the system appears to meticuously clean
    > up after this particular user account...as in, erase left over profile
    > files and such--basically, the system removes all traces that this user
    > account was used to log in.
    >

    Hi,

    It just so happens I *just* had to install the "IIS ILS Site Server"
    component on a Win2Ksp2 server *just* before I read your advisory. I
    haven't yet checked on the rest of the problems you found, but with just
    the IIS ILS Site Server installed, the same problem exists. An
    ILS_ANONYMOUS_USER account is created, the password is STILL stored in
    %systemroot%\system32\pnmsrvsx.dll and
    %systemroot\system32\inetsrv\dscomobx.dll. This time it's
    "BpES7DAopqLM_1".. I can't verify if this is something unique to my
    install (like servername rot13'd or something clever) or not, but I can
    log in as that local user w/that password. suuuck.

    fun! Thanks for the advisory!

    -matt