COMMAND

    IIS 4.0

SYSTEMS AFFECTED

    Win NT with IIS 4.0

PROBLEM

    mnemonix  found  following.   This  advisory  is  for  those  that
    upgraged to  IIS 4  from IIS  2 or  3.   Microsoft's IIS  4 limits
    Web-based administration  to the  loopback address  (127.0.0.1) by
    default as a security measure.   However, a relict left over  from
    IIS 2  and 3,   ism.dll left  in the  /scripts/iisadmin directory,
    allows users / attackers to access the previous ISAPI  application
    used for remote web-based  administration from an non-loopback  IP
    address.  On accessing a URL similar to the following

        http://www.server.com/scripts/iisadmin/ism.dll?http/dir

    a  user  will  be  prompted  for  a  UserID  and  password  and if
    successful authentication  takes place  they are  given access  to
    sensitive server  information. Note  however, that  changes can no
    longer be made with this  application. It does however provide  an
    attacker with a  means to brute force / guess  the  Administrators
    password and  if successful  an enormous  amount of  reconnaisance
    work  can  be  achieved  through  the  application's  use.    This
    application is now rundundant and can be removed. It plays no part
    in IIS 4's Web-based  administration.  Added to  this if IIS 4  is
    installed from the NT Option Pack and  Frontpage Server Extentions
    are installed too, the fpcount.exe utility found in the /_vti_bin/
    contains an exploitable buffer overrun.

SOLUTION

    mnemonix advised  on this  last year  and MS  produced an  updated
    version in FPServer Extentions 98 which can be downloaded from the
    MS website.