Re: IIS4 allows proxied password attacks over NetBIOS

[Russ.Cooper () RC ON CA (Russ)]

I've always appreciated the fervor with which Mnemonix appears to
approach the issues he works on...BUT...

In an effort to confirm or refute Mnemonix's latest information, I did
the following using current production releases;

1. Installed NT 4.0 Server (no domain)
2. Installed NT 4.0 SP4 128-bit (including IE 4.01)
3. Installed NT 4.0 Option Kit using the "Typical" installation option
(thereby accepting all defaults)

NT 4.0 is the original release version.
NTOK is from the BackOffice April '98 release set.

Observations;

1. IIS HTML Administration was installed, but it was configured to run
on port 5661.
2. Through the HTML Administration tool included, I looked at the
Administration Site's security configuration;

a) Anonymous access is disabled by default.
b) NTLM authentication is enabled by default (which means you'd have to
successfully log on to access it)
c) IP Address restrictions are enabled by default and only 127.0.0.1 is
granted access.
d) The only site "Operaters" defined is the NTLM Administrators group
for the box.
e) Logging is enabled.

The same configuration was applied by default installation to the
/IISADMIN virtual site under the Administration site.

So while the directory permissions on the
\%systemroot%\system32\inetsrv\iisadmpwd are lax, "Everyone: Change",
this does not pose an immediate threat due to the web site configuration
parameters that limit access to it.

Its certainly possible that Mnemonix has seen a machine with the
permissions/configuration he's described, but it is definitely not a
current released version default or typical installation.

Unfortunately he has not disclosed precisely what versions of what he
was looking at.

So while permission tightening is certainly recommended in any IIS
installation, the threats described by Mnemonix do not exist in the
versions that have been released and available for over a year from MS.
The fact that SP4 was used in this installation means nothing wrt the
way IIS was installed from the older NTOK (note that SP4 was installed
prior to NTOK, and not re-applied after the NTOK installation, meaning
it could not have affected the NTOK installation).

I had a lengthy discussion with Mnemonix off-list about this particular
message, and have had such discussions with him in the past about other
"discoveries" he's made.

His observations about what might be possible if access to the IISADMPWD
directory *were possible* are of value to anyone trying to ensure the
integrity and security of their IIS installation. However, his
description of using this "vulnerability" to do user enumeration behind
a Firewall or NAT box are, well, farcical.

Given the pre-requisite vulnerabilities he states as fact don't exist
(anonymous access to the Administration site, unrestricted IP access,
and no NTLM authentication), the other extrapolated threats end up as
simply "oh, really?".

Certainly there is potential to take the Web Administration facility and
modify its default configuration into an extremely insecure facility
where the possibility of, very slowly, enumerating user accounts would
be possible (assuming nobody looks at the logs, account lockout is not
enabled, auditing is not enabled, and in general, the machine is left to
the dogs).

In my opinion all of this speculation, mistaken assumption, farcical
hyperbole and arm waving takes away from the valid observations of the
interaction between files and service which Mnemonix has told us.

As the moderator of NTBugtraq I, at first, strongly refused to send
Mnemonix's message through to NTBugtraq. I felt it was more FUD than
valuable fact, and did more of a disservice than if he modified and
reduced it to the raw, provable, facts. Unfortunately, despite numerous
exchanges, Mnemonix insisted he'd rather have his original message sent.

I'd appreciate your feedback on whether or not you feel you were served
better by having his message sent to NTBugtraq (Bugtraq readers, feel
free to tell me what you think of his message too!).

Meanwhile, maybe Mnemonix can tell us what versions were used to produce
the results he observed. If people are going to be warned, they should
be warned about the right version (this assumes that he did the
installation himself of course).

Cheers,
Russ - NTBugtraq moderator