{"title": "Microsoft IIS aexp2.htr Password Policy Bypass", "published": "2002-03-06T00:00:00", "references": [], "type": "osvdb", "enchantments": {"score": {"value": 5.9, "vector": "NONE", "modified": "2017-04-28T13:20:09"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2002-0421"]}, {"type": "osvdb", "idList": ["OSVDB:13428", "OSVDB:13429", "OSVDB:13430"]}, {"type": "nessus", "idList": ["IIS_AUTHENTIFICATION_MANAGER.NASL"]}], "modified": "2017-04-28T13:20:09"}, "vulnersScore": 5.9}, "cvelist": ["CVE-2002-0421"], "viewCount": 11, "affectedSoftware": [{"version": "4.0", "name": "Internet Information Server", "operator": "eq"}, {"version": "NT 4.0", "name": "Windows", "operator": "eq"}], "hash": "daca650cb43dfd9fda1b8dccce640b982859545403c37a727f3192c5b5d58daa", "id": "OSVDB:13427", "modified": "2002-03-06T00:00:00", "history": [], "href": "https://vulners.com/osvdb/OSVDB:13427", "hashmap": [{"hash": "ae0b7173cec791bf55f3ffddc2099c94", "key": "affectedSoftware"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "1fbd12e3c8a12d3c6936b353ba3b16b3", "key": "cvelist"}, {"hash": "26769fd423968d45be7383413e2552f1", "key": "cvss"}, {"hash": "27670aa0aa6dd2f06e32ff896e179467", "key": "description"}, {"hash": "2f4661320b0144ff305f7f19d2728dff", "key": "href"}, {"hash": "bdafb91b01883907fa657b5e347a46af", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "bdafb91b01883907fa657b5e347a46af", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5f890233852170884de97a9856a1ed99", "key": "reporter"}, {"hash": "a7741fb3d4a7bd4d269b9add1db1c70b", "key": "title"}, {"hash": "1327ac71f7914948578f08c54f772b10", "key": "type"}], "objectVersion": "1.2", "edition": 1, "description": "## Vulnerability Description\nMicrosoft IIS installs the /iisadmpwd/aexp2.htr file by default, which can be used by an attacker to brute force a valid username/password. A valid user may also use it to change a password on a locked account or bypass the administrator security policy \"user cannot change password\".\n## Solution Description\nCurrently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Remove the HTR ISAPI filter mapping from IIS and use Microsoft Active Directory Service Interfaces (ADSI) for handling accounts remotely.\n## Short Description\nMicrosoft IIS installs the /iisadmpwd/aexp2.htr file by default, which can be used by an attacker to brute force a valid username/password. A valid user may also use it to change a password on a locked account or bypass the administrator security policy \"user cannot change password\".\n## References:\n[Related OSVDB ID: 13428](https://vulners.com/osvdb/OSVDB:13428)\n[Related OSVDB ID: 13429](https://vulners.com/osvdb/OSVDB:13429)\n[Related OSVDB ID: 13430](https://vulners.com/osvdb/OSVDB:13430)\n[Nessus Plugin ID:10371](https://vulners.com/search?query=pluginID:10371)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-03/0049.html\nISS X-Force ID: 8388\n[CVE-2002-0421](https://vulners.com/cve/CVE-2002-0421)\nBugtraq ID: 4236\n", "bulletinFamily": "software", "reporter": "Syed Mohamed A(syedm@syedmainnerframe.com)", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/", "score": 5.0}, "lastseen": "2017-04-28T13:20:09"}

{"cve": [{"lastseen": "2019-05-29T18:07:38", "bulletinFamily": "NVD", "description": "IIS 4.0 allows local users to bypass the \"User cannot change password\" policy for Windows NT by directly calling .htr password changing programs in the /iisadmpwd directory, including (1) aexp2.htr, (2) aexp2b.htr, (3) aexp3.htr , or (4) aexp4.htr.", "modified": "2008-09-05T20:27:00", "id": "CVE-2002-0421", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0421", "published": "2002-08-12T04:00:00", "title": "CVE-2002-0421", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:09", "bulletinFamily": "software", "description": "## Vulnerability Description\nMicrosoft IIS installs the /iisadmpwd/aexp2b.htr file by default, which can be used by an attacker to brute force a valid username/password. A valid user may also use it to change a password on a locked account or bypass the administrator security policy \"user cannot change password\".\n## Solution Description\nCurrently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Remove the HTR ISAPI filter mapping from IIS and use Microsoft Active Directory Service Interfaces (ADSI) for handling accounts remotely.\n## Short Description\nMicrosoft IIS installs the /iisadmpwd/aexp2b.htr file by default, which can be used by an attacker to brute force a valid username/password. A valid user may also use it to change a password on a locked account or bypass the administrator security policy \"user cannot change password\".\n## References:\n[Related OSVDB ID: 13429](https://vulners.com/osvdb/OSVDB:13429)\n[Related OSVDB ID: 13427](https://vulners.com/osvdb/OSVDB:13427)\n[Related OSVDB ID: 13430](https://vulners.com/osvdb/OSVDB:13430)\n[Nessus Plugin ID:10371](https://vulners.com/search?query=pluginID:10371)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-03/0049.html\nISS X-Force ID: 8388\n[CVE-2002-0421](https://vulners.com/cve/CVE-2002-0421)\nBugtraq ID: 4236\n", "modified": "2002-03-06T00:00:00", "published": "2002-03-06T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:13428", "id": "OSVDB:13428", "title": "Microsoft IIS aexp2b.htr Password Policy Bypass", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:09", "bulletinFamily": "software", "description": "## Vulnerability Description\nMicrosoft IIS installs the /iisadmpwd/aexp3.htr file by default, which can be used by an attacker to brute force a valid username/password. A valid user may also use it to change a password on a locked account or bypass the administrator security policy \"user cannot change password\".\n## Solution Description\nCurrently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Remove the HTR ISAPI filter mapping from IIS and use Microsoft Active Directory Service Interfaces (ADSI) for handling accounts remotely.\n## Short Description\nMicrosoft IIS installs the /iisadmpwd/aexp3.htr file by default, which can be used by an attacker to brute force a valid username/password. A valid user may also use it to change a password on a locked account or bypass the administrator security policy \"user cannot change password\".\n## References:\n[Related OSVDB ID: 13428](https://vulners.com/osvdb/OSVDB:13428)\n[Related OSVDB ID: 13427](https://vulners.com/osvdb/OSVDB:13427)\n[Related OSVDB ID: 13430](https://vulners.com/osvdb/OSVDB:13430)\n[Nessus Plugin ID:10371](https://vulners.com/search?query=pluginID:10371)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-03/0049.html\nISS X-Force ID: 8388\n[CVE-2002-0421](https://vulners.com/cve/CVE-2002-0421)\nBugtraq ID: 4236\n", "modified": "2002-03-06T00:00:00", "published": "2002-03-06T00:00:00", "id": "OSVDB:13429", "href": "https://vulners.com/osvdb/OSVDB:13429", "title": "Microsoft IIS aexp3.htr Password Policy Bypass", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:09", "bulletinFamily": "software", "description": "## Vulnerability Description\nMicrosoft IIS installs the /iisadmpwd/aexp4.htr file by default, which can be used by an attacker to brute force a valid username/password. A valid user may also use it to change a password on a locked account or bypass the administrator security policy \"user cannot change password\".\n## Solution Description\nCurrently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Remove the HTR ISAPI filter mapping from IIS and use Microsoft Active Directory Service Interfaces (ADSI) for handling accounts remotely.\n## Short Description\nMicrosoft IIS installs the /iisadmpwd/aexp4.htr file by default, which can be used by an attacker to brute force a valid username/password. A valid user may also use it to change a password on a locked account or bypass the administrator security policy \"user cannot change password\".\n## References:\n[Related OSVDB ID: 13428](https://vulners.com/osvdb/OSVDB:13428)\n[Related OSVDB ID: 13429](https://vulners.com/osvdb/OSVDB:13429)\n[Related OSVDB ID: 13427](https://vulners.com/osvdb/OSVDB:13427)\n[Nessus Plugin ID:10371](https://vulners.com/search?query=pluginID:10371)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-03/0049.html\nISS X-Force ID: 8388\n[CVE-2002-0421](https://vulners.com/cve/CVE-2002-0421)\nBugtraq ID: 4236\n", "modified": "2002-03-06T00:00:00", "published": "2002-03-06T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:13430", "id": "OSVDB:13430", "title": "Microsoft IIS aexp4.htr Password Policy Bypass", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2019-02-21T01:07:40", "bulletinFamily": "scanner", "description": "Microsoft IIS installs the 'aexp2.htr', 'aexp2b.htr', 'aexp3.htr', or 'aexp4.htr' files in the '/iisadmpwd' directory by default. These fiels can be used by an attacker to brute-force a valid username/password. A valid user may also use it to change his password on a locked account, bypassing password policy.", "modified": "2018-11-15T00:00:00", "id": "IIS_AUTHENTIFICATION_MANAGER.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=10371", "published": "2000-04-15T00:00:00", "title": "Microsoft IIS /iisadmpwd/aexp2.htr Password Policy Bypass", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# 2002-06-07 [Michel Arboi]\n# I added aexp3.htr and the comment about the locked account.\n#\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10371);\n script_version (\"1.42\");\n\n script_cve_id(\"CVE-1999-0407\", \"CVE-2002-0421\");\n script_bugtraq_id(2110, 4236);\n\n script_name(english:\"Microsoft IIS /iisadmpwd/aexp2.htr Password Policy Bypass\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by a password policy bypass\nvulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"Microsoft IIS installs the 'aexp2.htr', 'aexp2b.htr', 'aexp3.htr', or\n'aexp4.htr' files in the '/iisadmpwd' directory by default. These\nfiels can be used by an attacker to brute-force a valid\nusername/password. A valid user may also use it to change his password\non a locked account, bypassing password policy.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2002/Mar/113\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Remote the HTR ISAPI filter mapping from IIS and use Microsoft Active\nDirectory Service Interfaces for handling accounts remotely.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2000/04/15\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"1999/02/09\");\n script_cvs_date(\"Date: 2018/11/15 20:50:25\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:iis\");\n script_end_attributes();\n\n summary[\"english\"] = \"Determines whether /iisadmpwd/aexp2.htr is present\";\n\n script_summary(english:summary[\"english\"]);\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.\");\n family[\"english\"] = \"Web Servers\";\n script_family(english:family[\"english\"]);\n script_dependencie(\"find_service1.nasl\", \"http_version.nasl\", \"www_fingerprinting_hmap.nasl\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"misc_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http.inc\");\nport = get_http_port(default:80);\n\nfunction test_cgi(port, cgi, output)\n{\n local_var res;\n\n res = http_send_recv3(method:\"GET\", item:cgi, port:port, exit_on_fail: 1);\n\n if (output >< res[2])\n {\n security_hole(port);\n exit(0);\n }\n return(0);\n}\n \n \n\n\nsig = get_kb_item(\"www/hmap/\" + port + \"/description\");\nif ( sig && \"IIS\" >!< sig ) exit(0);\nif(get_port_state(port))\n{\n test_cgi(port:port, \n \t cgi:\"/iisadmpwd/aexp.htr\",\n\t output:\"IIS - Authentication Manager\");\t \n\n test_cgi(port:port, \n \t cgi:\"/iisadmpwd/aexp2.htr\",\n\t output:\"IIS - Authentication Manager\");\t \n test_cgi(port:port,\n cgi:\"/iisadmpwd/aexp2b.htr\",\n output:\"IIS - Authentication Manager\"); \n test_cgi(port:port,\n cgi:\"/iisadmpwd/aexp3.htr\",\n output:\"IIS - Authentication Manager\"); \n test_cgi(port:port,\n cgi:\"/iisadmpwd/aexp4.htr\",\n output:\"IIS - Authentication Manager\"); \n\n test_cgi(port:port,\n cgi:\"/iisadmpwd/aexp4b.htr\",\n output:\"IIS - Authentication Manager\"); \n}\n\t \n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}