ID OSVDB:13427 Type osvdb Reporter Syed Mohamed A(syedm@syedmainnerframe.com) Modified 2002-03-06T00:00:00
Description
Vulnerability Description
Microsoft IIS installs the /iisadmpwd/aexp2.htr file by default, which can be used by an attacker to brute force a valid username/password. A valid user may also use it to change a password on a locked account or bypass the administrator security policy "user cannot change password".
Solution Description
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Remove the HTR ISAPI filter mapping from IIS and use Microsoft Active Directory Service Interfaces (ADSI) for handling accounts remotely.
Short Description
Microsoft IIS installs the /iisadmpwd/aexp2.htr file by default, which can be used by an attacker to brute force a valid username/password. A valid user may also use it to change a password on a locked account or bypass the administrator security policy "user cannot change password".
{"title": "Microsoft IIS aexp2.htr Password Policy Bypass", "published": "2002-03-06T00:00:00", "references": [], "type": "osvdb", "enchantments": {"score": {"value": 5.9, "vector": "NONE", "modified": "2017-04-28T13:20:09"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2002-0421"]}, {"type": "osvdb", "idList": ["OSVDB:13428", "OSVDB:13429", "OSVDB:13430"]}, {"type": "nessus", "idList": ["IIS_AUTHENTIFICATION_MANAGER.NASL"]}], "modified": "2017-04-28T13:20:09"}, "vulnersScore": 5.9}, "cvelist": ["CVE-2002-0421"], "viewCount": 13, "affectedSoftware": [{"version": "4.0", "name": "Internet Information Server", "operator": "eq"}, {"version": "NT 4.0", "name": "Windows", "operator": "eq"}], "hash": "daca650cb43dfd9fda1b8dccce640b982859545403c37a727f3192c5b5d58daa", "id": "OSVDB:13427", "modified": "2002-03-06T00:00:00", "history": [], "href": "https://vulners.com/osvdb/OSVDB:13427", "hashmap": [{"hash": "ae0b7173cec791bf55f3ffddc2099c94", "key": "affectedSoftware"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "1fbd12e3c8a12d3c6936b353ba3b16b3", "key": "cvelist"}, {"hash": "26769fd423968d45be7383413e2552f1", "key": "cvss"}, {"hash": "27670aa0aa6dd2f06e32ff896e179467", "key": "description"}, {"hash": "2f4661320b0144ff305f7f19d2728dff", "key": "href"}, {"hash": "bdafb91b01883907fa657b5e347a46af", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "bdafb91b01883907fa657b5e347a46af", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5f890233852170884de97a9856a1ed99", "key": "reporter"}, {"hash": "a7741fb3d4a7bd4d269b9add1db1c70b", "key": "title"}, {"hash": "1327ac71f7914948578f08c54f772b10", "key": "type"}], "objectVersion": "1.2", "edition": 1, "description": "## Vulnerability Description\nMicrosoft IIS installs the /iisadmpwd/aexp2.htr file by default, which can be used by an attacker to brute force a valid username/password. A valid user may also use it to change a password on a locked account or bypass the administrator security policy \"user cannot change password\".\n## Solution Description\nCurrently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Remove the HTR ISAPI filter mapping from IIS and use Microsoft Active Directory Service Interfaces (ADSI) for handling accounts remotely.\n## Short Description\nMicrosoft IIS installs the /iisadmpwd/aexp2.htr file by default, which can be used by an attacker to brute force a valid username/password. A valid user may also use it to change a password on a locked account or bypass the administrator security policy \"user cannot change password\".\n## References:\n[Related OSVDB ID: 13428](https://vulners.com/osvdb/OSVDB:13428)\n[Related OSVDB ID: 13429](https://vulners.com/osvdb/OSVDB:13429)\n[Related OSVDB ID: 13430](https://vulners.com/osvdb/OSVDB:13430)\n[Nessus Plugin ID:10371](https://vulners.com/search?query=pluginID:10371)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-03/0049.html\nISS X-Force ID: 8388\n[CVE-2002-0421](https://vulners.com/cve/CVE-2002-0421)\nBugtraq ID: 4236\n", "bulletinFamily": "software", "reporter": "Syed Mohamed A(syedm@syedmainnerframe.com)", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/", "score": 5.0}, "lastseen": "2017-04-28T13:20:09"}
{"cve": [{"lastseen": "2019-05-29T18:07:38", "bulletinFamily": "NVD", "description": "IIS 4.0 allows local users to bypass the \"User cannot change password\" policy for Windows NT by directly calling .htr password changing programs in the /iisadmpwd directory, including (1) aexp2.htr, (2) aexp2b.htr, (3) aexp3.htr , or (4) aexp4.htr.", "modified": "2008-09-05T20:27:00", "id": "CVE-2002-0421", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0421", "published": "2002-08-12T04:00:00", "title": "CVE-2002-0421", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:09", "bulletinFamily": "software", "description": "## Vulnerability Description\nMicrosoft IIS installs the /iisadmpwd/aexp2b.htr file by default, which can be used by an attacker to brute force a valid username/password. A valid user may also use it to change a password on a locked account or bypass the administrator security policy \"user cannot change password\".\n## Solution Description\nCurrently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Remove the HTR ISAPI filter mapping from IIS and use Microsoft Active Directory Service Interfaces (ADSI) for handling accounts remotely.\n## Short Description\nMicrosoft IIS installs the /iisadmpwd/aexp2b.htr file by default, which can be used by an attacker to brute force a valid username/password. A valid user may also use it to change a password on a locked account or bypass the administrator security policy \"user cannot change password\".\n## References:\n[Related OSVDB ID: 13429](https://vulners.com/osvdb/OSVDB:13429)\n[Related OSVDB ID: 13427](https://vulners.com/osvdb/OSVDB:13427)\n[Related OSVDB ID: 13430](https://vulners.com/osvdb/OSVDB:13430)\n[Nessus Plugin ID:10371](https://vulners.com/search?query=pluginID:10371)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-03/0049.html\nISS X-Force ID: 8388\n[CVE-2002-0421](https://vulners.com/cve/CVE-2002-0421)\nBugtraq ID: 4236\n", "modified": "2002-03-06T00:00:00", "published": "2002-03-06T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:13428", "id": "OSVDB:13428", "title": "Microsoft IIS aexp2b.htr Password Policy Bypass", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:09", "bulletinFamily": "software", "description": "## Vulnerability Description\nMicrosoft IIS installs the /iisadmpwd/aexp3.htr file by default, which can be used by an attacker to brute force a valid username/password. A valid user may also use it to change a password on a locked account or bypass the administrator security policy \"user cannot change password\".\n## Solution Description\nCurrently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Remove the HTR ISAPI filter mapping from IIS and use Microsoft Active Directory Service Interfaces (ADSI) for handling accounts remotely.\n## Short Description\nMicrosoft IIS installs the /iisadmpwd/aexp3.htr file by default, which can be used by an attacker to brute force a valid username/password. A valid user may also use it to change a password on a locked account or bypass the administrator security policy \"user cannot change password\".\n## References:\n[Related OSVDB ID: 13428](https://vulners.com/osvdb/OSVDB:13428)\n[Related OSVDB ID: 13427](https://vulners.com/osvdb/OSVDB:13427)\n[Related OSVDB ID: 13430](https://vulners.com/osvdb/OSVDB:13430)\n[Nessus Plugin ID:10371](https://vulners.com/search?query=pluginID:10371)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-03/0049.html\nISS X-Force ID: 8388\n[CVE-2002-0421](https://vulners.com/cve/CVE-2002-0421)\nBugtraq ID: 4236\n", "modified": "2002-03-06T00:00:00", "published": "2002-03-06T00:00:00", "id": "OSVDB:13429", "href": "https://vulners.com/osvdb/OSVDB:13429", "title": "Microsoft IIS aexp3.htr Password Policy Bypass", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:09", "bulletinFamily": "software", "description": "## Vulnerability Description\nMicrosoft IIS installs the /iisadmpwd/aexp4.htr file by default, which can be used by an attacker to brute force a valid username/password. A valid user may also use it to change a password on a locked account or bypass the administrator security policy \"user cannot change password\".\n## Solution Description\nCurrently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Remove the HTR ISAPI filter mapping from IIS and use Microsoft Active Directory Service Interfaces (ADSI) for handling accounts remotely.\n## Short Description\nMicrosoft IIS installs the /iisadmpwd/aexp4.htr file by default, which can be used by an attacker to brute force a valid username/password. A valid user may also use it to change a password on a locked account or bypass the administrator security policy \"user cannot change password\".\n## References:\n[Related OSVDB ID: 13428](https://vulners.com/osvdb/OSVDB:13428)\n[Related OSVDB ID: 13429](https://vulners.com/osvdb/OSVDB:13429)\n[Related OSVDB ID: 13427](https://vulners.com/osvdb/OSVDB:13427)\n[Nessus Plugin ID:10371](https://vulners.com/search?query=pluginID:10371)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-03/0049.html\nISS X-Force ID: 8388\n[CVE-2002-0421](https://vulners.com/cve/CVE-2002-0421)\nBugtraq ID: 4236\n", "modified": "2002-03-06T00:00:00", "published": "2002-03-06T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:13430", "id": "OSVDB:13430", "title": "Microsoft IIS aexp4.htr Password Policy Bypass", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2019-12-13T07:50:58", "bulletinFamily": "scanner", "description": "Microsoft IIS installs the ", "modified": "2019-12-02T00:00:00", "id": "IIS_AUTHENTIFICATION_MANAGER.NASL", "href": "https://www.tenable.com/plugins/nessus/10371", "published": "2000-04-15T00:00:00", "title": "Microsoft IIS /iisadmpwd/aexp2.htr Password Policy Bypass", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# 2002-06-07 [Michel Arboi]\n# I added aexp3.htr and the comment about the locked account.\n#\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10371);\n script_version (\"1.42\");\n\n script_cve_id(\"CVE-1999-0407\", \"CVE-2002-0421\");\n script_bugtraq_id(2110, 4236);\n\n script_name(english:\"Microsoft IIS /iisadmpwd/aexp2.htr Password Policy Bypass\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by a password policy bypass\nvulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"Microsoft IIS installs the 'aexp2.htr', 'aexp2b.htr', 'aexp3.htr', or\n'aexp4.htr' files in the '/iisadmpwd' directory by default. These\nfiels can be used by an attacker to brute-force a valid\nusername/password. A valid user may also use it to change his password\non a locked account, bypassing password policy.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2002/Mar/113\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Remote the HTR ISAPI filter mapping from IIS and use Microsoft Active\nDirectory Service Interfaces for handling accounts remotely.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2000/04/15\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"1999/02/09\");\n script_cvs_date(\"Date: 2018/11/15 20:50:25\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:iis\");\n script_end_attributes();\n\n summary[\"english\"] = \"Determines whether /iisadmpwd/aexp2.htr is present\";\n\n script_summary(english:summary[\"english\"]);\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.\");\n family[\"english\"] = \"Web Servers\";\n script_family(english:family[\"english\"]);\n script_dependencie(\"find_service1.nasl\", \"http_version.nasl\", \"www_fingerprinting_hmap.nasl\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"misc_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http.inc\");\nport = get_http_port(default:80);\n\nfunction test_cgi(port, cgi, output)\n{\n local_var res;\n\n res = http_send_recv3(method:\"GET\", item:cgi, port:port, exit_on_fail: 1);\n\n if (output >< res[2])\n {\n security_hole(port);\n exit(0);\n }\n return(0);\n}\n \n \n\n\nsig = get_kb_item(\"www/hmap/\" + port + \"/description\");\nif ( sig && \"IIS\" >!< sig ) exit(0);\nif(get_port_state(port))\n{\n test_cgi(port:port, \n \t cgi:\"/iisadmpwd/aexp.htr\",\n\t output:\"IIS - Authentication Manager\");\t \n\n test_cgi(port:port, \n \t cgi:\"/iisadmpwd/aexp2.htr\",\n\t output:\"IIS - Authentication Manager\");\t \n test_cgi(port:port,\n cgi:\"/iisadmpwd/aexp2b.htr\",\n output:\"IIS - Authentication Manager\"); \n test_cgi(port:port,\n cgi:\"/iisadmpwd/aexp3.htr\",\n output:\"IIS - Authentication Manager\"); \n test_cgi(port:port,\n cgi:\"/iisadmpwd/aexp4.htr\",\n output:\"IIS - Authentication Manager\"); \n\n test_cgi(port:port,\n cgi:\"/iisadmpwd/aexp4b.htr\",\n output:\"IIS - Authentication Manager\"); \n}\n\t \n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}