This advisory is for those that upgraged to IIS 4 from IIS 2 or 3. Microsoft's IIS 4 limits Web-based administration to the loopback address (127.0.0.1) by default as a security measure. However, a relict left over from IIS 2 and 3, ism.dll left in the /scripts/iisadmin directory, allows users / attackers to access the previous ISAPI application used for remote web-based administration from an non-loopback IP address. On accessing a URL similar to the following http://www.server.com/scripts/iisadmin/ism.dll?http/dir a user will be prompted for a UserID and password and if successful authentication takes place they are given access to sensitive server information. Note however, that changes can no longer be made with this application. It does however provide an attacker with a means to brute force / guess the Administrators password and if successful an enormous amount of reconnaisance work can be achieved through the application's use. This application is now rundundant and can be removed. It plays no part in IIS 4's Web-based administration. Added to this if IIS 4 is installed from the NT Option Pack and Frontpage Server Extentions are installed too, the fpcount.exe utility found in the /_vti_bin/ contains an exploitable buffer overrun. I advised on this last year and MS produced an updated version in FPServer Extentions 98 which can be downloaded from the MS website. Cheers, David Litchfield http://www.infowar.co.uk/mnemonix/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:28:49 PDT