COMMAND

    Frontpage Server Extentions

SYSTEMS AFFECTED

    Microsoft Windows NT 4 running Internet Information Server with Frontpage

PROBLEM

    Following is  based on  Cerberus Information  Security Advisory by
    David Litchfield.  The Cerberus Security Team have discovered  two
    issues that may pose  a problem on some  sites, though it must  be
    noted that the impact should be minor provided best practices  are
    followed.   It is  possible to  discover the  name of  the account
    used for allowing anonymous access to the web service which  could
    be used by an attacker in an attempted brute force attack.   Sites
    that are going to be most  vulnerable to this are those that  have
    changed  the  default  password  assigned  to  the   IUSR_compname
    account, or  those that  use their  own defined  account, and have
    not  set  a  suitably  strong  password.   The second problem will
    reveal the physical  paths of virtual  directories, again a  minor
    issue, but may be of some  use to an attacker attempting to  break
    a system.

    Details of account enumeration vulnerability
    ============================================
    By  making  a  deliberate  Vermeer  RPC POST request to shtml.dll,
    located in the /_vti_bin/ virtual directory, one we know if  going
    to  fail  due  to  access  permissions,  the  server  will respond
    stating that the "IUSR_CHARON" account is not allowed to run  this
    service - IUSR_CHARON is used here as an example.

    Details of physical path discovery vulnerability
    ================================================
    By making  a GET  request to  htimage.exe found  sometimes in  the
    scripts directory  and in  the cgi-bin  you can  map the  physical
    path  to  the  virtual   directory  htimage.exe  is  located   in.
    http://charon/cgi-bin/htimage.exe?2,2  will  reveal  the  physical
    path as being E:\SITE\cgi\ for example.

SOLUTION

    Checks for both  of these issues  have been incorporated  into the
    webscan module of  Cerberus' free vulnerability  scanner CIS.   If
    you already have a version  you can download the updated  DLL from
    http://www.cerberus-infosec.co.uk/webscan.dll.

    Microsoft has been alerted to  these issues and they will  address
    them in the next version  of Frontpage Server Extentions.   If you
    don't use the functionality provided by Frontpage then you  should
    remove, not  only shtml.dll  and htimage.exe  but all  other files
    associated with Frontpage. For those that do use the functionality
    this  should  not  present  too  much  of  a  problem provided you
    implement a strong password policy  - though if this still  is too
    much  of  a  risk  or  does  not  conform  to  your organization's
    security  policy  then  you  should  consider  whether  to disable
    Frontpage or not until the next version is available.