COMMAND

    IIS (metabase)

SYSTEMS AFFECTED

    Win NT with IIS 4.0

PROBLEM

    Patrick  Chambet  found  following.   We  knew  that  Windows   NT
    passwords  are  stored  in  7  different places across the system.
    Here is a 8th place: the IIS  4.0 metabase.  IIS 4.0 uses its  own
    configuration database, named "metabase", which can be compared to
    the Windows Registry: the metabase is organised in Hives, Keys and
    Values.  It is stored in the following file:

        C:\WINNT\system32\inetsrv\MetaBase.bin

    The IIS 4.0 metabase contains these passwords:

        - IUSR_ComputerName account password  (only if you have  typed
          it in the MMC)
        - IWAM_ComputerName account password (ALWAYS !)
        - UNC username and password used to connect to another  server
          if one of your virtual directories is located there.
        - The user name and password  used to connect to the ODBC  DSN
          called "HTTPLOG"  (if you  chose to  store your  Logs into a
          database).

    Note  that  the  usernames  are  in  unicode, clear text, that the
    passwords are  srambled in  the metabase.ini  file, and  that only
    Administrators and SYSTEM  have permissions on  this file,   BUT a
    few lines of  script in a  WSH script or  in an ASP  page allow to
    print these passwords in CLEAR  TEXT.  The user name  and password
    used to connect to  the Logs DSN could  allow a malicious user  to
    delete traces  of his  activities on  the server.   Obviously this
    represents a significant  risk for Web  servers that allow  logons
    and/or remote access.  Here is an example of what can be gathered:

        IIS 4.0 Metabase
        © Patrick Chambet 1998 - pchambet@club-internet.fr

        --- UNC User ---
        UNC User name: 'Lou'
        UNC User password: 'Microsoft'
        UNC Authentication Pass Through: 'False'

        --- Anonymous User ---
        Anonymous User name: 'IUSR_SERVER'
        Anonymous User password: 'x1fj5h_iopNNsp'
        Password synchronization: 'False'

        --- IIS Logs DSN User ---
        ODBC DSN name: 'HTTPLOG'
        ODBC table name: 'InternetLog'
        ODBC User name: 'InternetAdmin'
        ODBC User password: 'xxxxxx'

        --- Web Applications User ---
        WAM User name: 'IWAM_SERVER'
        WAM User password: 'Aj8_g2sAhjlk2'
        Default Logon Domain: ''

    For example, you can imagine  the following scenario.  A  user Bob
    is allowed to logon only on  a server hosting IIS 4.0, say  server
    (a).  He need not to be  an Administrator.  He can be for  example
    an IIS  4.0 Web  Site Operator.   Then, he  launches a  WSH script
    that extracts the login name  and password of the account  used to
    access to a virtual directory located on another server, say  (b).
    Now, Bob can use these login  name and passord to logon on  server
    (b).  And so forth...

SOLUTION

    Microsoft was  informed of  this vulnerability.   As said  before,
    passwords are not stored in clear text.  But they can be DISPLAYED
    in clear text.  Web  Site Operators can also view  some passwords.
    And you  know that  ANY NT  user can  act as  a Web Site Operator.
    He/she  needn't  be  a  NT  Administrator.   A  simple user can be
    promoted  to  webmaster  of  an  intranet,  for example.  And that
    simple user can  see the passwords  of other users,  like the ones
    used to connect to an UNC path.  This fact has to be known by  the
    REAL NT Administrator(s).   Maybe, then, he  won't promote a  user
    to webmaster without carefully thinking about it.