Cerberus Information Security Advisory (CISADV000203) http://www.cerberus-infosec.co.uk/advisories.html Released : 3rd February 2000 Name : Frontpage Server Extentions Affected Systems : Microsoft Windows NT 4 running Internet Information Server with Frontpage Issue : Attackers can discover the name of the anonyous Internet account and learn physical paths on system Author : David Litchfield (mnemonix@globalnet.co.uk) Description ********* The Cerberus Security Team have discovered two issues that may pose a problem on some sites, though it must be noted that the impact should be minor provided best practices are followed. It is possible to discover the name of the account used for allowing anonymous access to the web service which could be used by an attacker in an attempted brute force attack. Sites that are going to be most vulnerable to this are those that have changed the default password assigned to the IUSR_compname account, or those that use their own defined account, and have not set a suitably strong password. The second problem will reveal the physical paths of virtual directories, again a minor issue, but may be of some use to an attacker attempting to break a system. Details of account enumeration vulnerability ********************************* By making a deliberate Vermeer RPC POST request to shtml.dll, located in the /_vti_bin/ virtual directory, one we know if going to fail due to access permissions, the server will respond stating that the "IUSR_CHARON" account is not allowed to run this service - IUSR_CHARON is used here as an example. Details of physical path discovery vulnerability *********************************** By making a GET request to htimage.exe found sometimes in the scripts directory and in the cgi-bin you can map the physical path to the virtual directory htimage.exe is located in. http://charon/cgi-bin/htimage.exe?2,2 will reveal the physical path as being E:\SITE\cgi\ for example. Checks for both of these issues have been incorporated into the webscan module of Cerberus' free vulnerability scanner CIS. If you already have a version you can download the updated DLL from http://www.cerberus-infosec.co.uk/webscan.dll . If you don't yet have the scanner you can get a copy from our website http://www.cerberus-infosec.co.uk/ - follow the Cerberus Internet Scanner link. Solution: ******* Microsoft has been alerted to these issues and they will address them in the next version of Frontpage Server Extentions. If you don't use the functionality provided by Frontpage then you should remove, not only shtml.dll and htimage.exe but all other files associated with Frontpage. For those that do use the functionality this should not present too much of a problem provided you implement a strong password policy - though if this still is too much of a risk or does not conform to your organization's security policy then you should consider whether to disable Frontpage or not until the next version is available. About Cerberus Information Security, Ltd ******************************** Cerberus Information Security, Ltd, a UK company, are specialists in penetration testing and other security auditing services. They are the developers of CIS (Cerberus' Internet security scanner) available for free from their website: http://www.cerberus-infosec.co.uk To ensure that the Cerberus Security Team remains one of the strongest security audit teams available globally they continually research operating system and popular service software vulnerabilites leading to the discovery of "world first" issues. This not only keeps the team sharp but also helps the industry and vendors as a whole ultimately protecting the end consumer. As testimony to their ability and expertise one just has to look at exactly how many major vulnerabilities have been discovered by the Cerberus Security Team - over 40 to date, making them a clear leader of companies offering such security services. Founded in late 1999, by Mark and David Litchfield, Cerberus Information Security, Ltd are located in London, UK but serves customers across the World. For more information about Cerberus Information Security, Ltd please visit their website or call on +44(0) 181 661 7405 Permission is hereby granted to copy or redistribute this advisory but only in its entirety. Copyright (C) 2000 by Cerberus Information Security, Ltd