CVE-2002-0421
CVSS5.0
发布时间 :2002-08-12 00:00:00
修订时间 :2008-09-05 16:27:58
NMCOS    

[原文]IIS 4.0 allows local users to bypass the "User cannot change password" policy for Windows NT by directly calling .htr password changing programs in the /iisadmpwd directory, including (1) aexp2.htr, (2) aexp2b.htr, (3) aexp3.htr , or (4) aexp4.htr.


[CNNVD]Microsoft Windows NT安全策略被绕过漏洞(CNNVD-200208-168)

        
        微软IIS是Windows平台上的一种WEB Server。
        IIS 4.0有一个远程可访问目录/IISADMPWD,包含了一些.HTR文件。这些文件最初设计用于为系统管理员提供基于HTTP的网络用户口令修改机制。提交对.HTR文件的请求,将返回一个表单,让用户输入帐号名、当前口令、准备使用的新口令。
        据报告,即使一个帐号的本地安全策略中设置了"用户不能修改口令",仍有可能通过IISADMPWD目录下的.HTR程序修改自己的口令。对于被禁用的帐号,此问题同样存在。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_nt:4.0:sp1:serverMicrosoft Windows 4.0 sp1 server
cpe:/o:microsoft:windows_nt:4.0:sp5:serverMicrosoft Windows 4.0 sp5 server
cpe:/o:microsoft:windows_nt:4.0::server
cpe:/o:microsoft:windows_nt:4.0:sp6:serverMicrosoft Windows 4.0 sp6 server
cpe:/o:microsoft:windows_nt:4.0:sp2:serverMicrosoft Windows 4.0 sp2 server
cpe:/o:microsoft:windows_nt:4.0:sp3:serverMicrosoft Windows 4.0 sp3 server
cpe:/o:microsoft:windows_nt:4.0:sp6a:serverMicrosoft Windows 4.0 sp6a server
cpe:/o:microsoft:windows_nt:4.0:sp4:serverMicrosoft Windows 4.0 sp4 server

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0421
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0421
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-168
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/4236
(VENDOR_ADVISORY)  BID  4236
http://www.iss.net/security_center/static/8388.php
(VENDOR_ADVISORY)  XF  winnt-pw-policy-bypass(8388)
http://online.securityfocus.com/archive/1/259963
(VENDOR_ADVISORY)  BUGTRAQ  20020306 NT user (who is locked changing his/her password by administrator ) can bypass the security policy and Change the password.

- 漏洞信息

Microsoft Windows NT安全策略被绕过漏洞
中危 设计错误
2002-08-12 00:00:00 2005-10-20 00:00:00
远程  
        
        微软IIS是Windows平台上的一种WEB Server。
        IIS 4.0有一个远程可访问目录/IISADMPWD,包含了一些.HTR文件。这些文件最初设计用于为系统管理员提供基于HTTP的网络用户口令修改机制。提交对.HTR文件的请求,将返回一个表单,让用户输入帐号名、当前口令、准备使用的新口令。
        据报告,即使一个帐号的本地安全策略中设置了"用户不能修改口令",仍有可能通过IISADMPWD目录下的.HTR程序修改自己的口令。对于被禁用的帐号,此问题同样存在。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 由于.HTR技术本身存在重大安全隐患,微软不打算就此问题给出其它解决方案,它们建议取消对.HTR的映射,转用微软活动目录服务接口(ADSI)处理类似请求。
        厂商补丁:
        Microsoft
        ---------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.microsoft.com/

- 漏洞信息

13427
Microsoft IIS aexp2.htr Password Policy Bypass
Remote / Network Access Misconfiguration
Loss of Integrity
Exploit Public

- 漏洞描述

Microsoft IIS installs the /iisadmpwd/aexp2.htr file by default, which can be used by an attacker to brute force a valid username/password. A valid user may also use it to change a password on a locked account or bypass the administrator security policy "user cannot change password".

- 时间线

2002-03-06 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Remove the HTR ISAPI filter mapping from IIS and use Microsoft Active Directory Service Interfaces (ADSI) for handling accounts remotely.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Windows NT Security Policy Bypass Vulnerability
Design Error 4236
Yes No
2002-03-06 12:00:00 2009-07-11 10:56:00
Reported by Syed Mohamed A <SyedMA@innerframe.com>.

- 受影响的程序版本

Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0

- 漏洞讨论

Microsoft IIS is a popular web server package for Windows NT based platforms. Version 4.0 of IIS installs a remotely accessible directory, /IISADMPWD, which contains a number of vulnerable .HTR files. These are designed to allow system administrators the ability to provide HTTP based password change services to network users. Requesting one of the .htr files returns a form that requests the account name, current password, and changed password.

An issue has been reported which could allow NT users, with their local security policy set to "User cannot change password", to change their password via IISADMPWD.

- 漏洞利用

No exploit code required.

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站