Home page logo
/

bugtraq logo Bugtraq mailing list archives

NT user (who is locked changing his/her password by administrator ) can bypass the security policy and Change the password.
From: Syed Mohamed A <SyedMA () innerframe com>
Date: Wed, 6 Mar 2002 14:37:05 +0530

Hi,
Our PT team found the following vulnerability in security policy
implementation with NT Server and IIS 4.0.

NT user (who is locked changing his/her password by administrator)  can
bypass the security policy and Change the password.

Vulnerable:

Microsoft Windows NT Server 4.0 + IIS 4.0 + Service pack 6.0 

Description:

Valid NT user can bypass the administrator security policy "user cannot
change password" and can change his/her password through web based ".HTR"
application. 

Valid NT user whose account is locked changing his/her password by
administrator i.e. (Administrator applied the policy " user cannot change
password") can  still "Change his/her password through IIS Web service
http://iisserver/iisadmpwd/aexp3.htr ". This is possible with disabled
accounts also. 

Enter valid user id and password (who can not change his/her password).Enter
new password. It is by passing the security policy "user can not change
password" and password got changed.

The following files can also be used for the same

http://iis-server/iisadmpwd/aexp2.htr
http://iis-server/iisadmpwd/aexp2b.htr
http://iis-server/iisadmpwd/aexp4.htr

Vendor status

Microsoft was informed about this. 

Response from Microsoft

        "The particular policy you've mentioned, locking users out of
changing 
Passwords, isn't something that this tool, when developed, was designed to
account for.

Again, though, we want to reiterate that .HTR is a deprecated technology
and we very strongly urge you to unmap .htr if at all possible.  The
preferred method of handling accounts through HTML pages is through the
use of ADSI now.  As I noted, we are looking to see if we can provide an
ASP based application to replace the HTR-based application at some
point." 

Solution

.HTR should be disabled by unmapping. Avoid using  .HTR based password
changing application.


Best Regards
                 
Syed Mohamed A
Technical Specialist- Technology & Practices 
InnerFrame - The Technology infrastructure services provider
Division of The Microland Group, India
www.innerframe.com


email:   syedma () innerframe com   
Tel:       91-80-5503313 to 18  extn. 153
Fax:      91-80-5503319
 

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, re-transmission, dissemination or other use of or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from your
computer. 


  By Date           By Thread  

Current thread:
  • NT user (who is locked changing his/her password by administrator ) can bypass the security policy and Change the password. Syed Mohamed A (Mar 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault