Cerberus Information Security Advisory (CISADV000203)

Released              : 3rd February 2000
Name                  : Frontpage Server Extentions
Affected Systems : Microsoft Windows NT 4 running Internet Information
                             Server with Frontpage
Issue                    : Attackers can discover the name of the anonyous
Internet account and learn physical paths on system
Author                  : David Litchfield (mnemonix@globalnet.co.uk)

The Cerberus Security Team have discovered two issues that may pose a
problem on some sites, though it must be noted that the impact should be
minor provided best practices are followed. It is possible to discover the
name of the account used for allowing anonymous access to the web service
which could be used by an attacker in an attempted brute force attack. Sites
that are going to be most vulnerable to this are those that have changed the
default password assigned to the IUSR_compname account, or those that use
their own defined account, and have not set a suitably strong password. The
second problem will reveal the physical paths of virtual directories, again
a minor issue, but may be of some use to an attacker attempting to break a

Details of account enumeration vulnerability
By making a deliberate Vermeer RPC POST request to shtml.dll, located in the
/_vti_bin/ virtual directory, one we know if going to fail due to access
permissions, the server will respond stating that the "IUSR_CHARON" account
is not allowed to run this service - IUSR_CHARON is used here as an example.

Details of physical path discovery vulnerability
By making a GET request to htimage.exe found sometimes in the scripts
directory and in the cgi-bin you can map the physical path to the virtual
directory htimage.exe is located in.  http://charon/cgi-bin/htimage.exe?2,2
will reveal the physical path as being E:\SITE\cgi\ for example.

Checks for both of these issues have been incorporated into the webscan
module of Cerberus' free vulnerability scanner CIS. If you already have a
version you can download the updated DLL from
http://www.cerberus-infosec.co.uk/webscan.dll . If you don't yet have the
scanner you can get a copy from our website
http://www.cerberus-infosec.co.uk/ - follow the Cerberus Internet Scanner

Microsoft has been alerted to these issues and they will address them in the
next version of Frontpage Server Extentions. If you don't use the
functionality provided by Frontpage then you should remove, not only
shtml.dll and htimage.exe but all other files associated with Frontpage. For
those that do use the functionality this should not present too much of a
problem provided you implement a strong password policy - though if this
still is too much of a risk or does not conform to your organization's
security policy then you should consider whether to disable Frontpage or not
until the next version is available.

About Cerberus Information Security, Ltd
Cerberus Information Security, Ltd, a UK company, are specialists in
penetration testing and other security auditing services. They are the
developers of CIS (Cerberus' Internet security scanner) available for free
from their website: http://www.cerberus-infosec.co.uk

To ensure that the Cerberus Security Team remains one of the strongest
security audit teams available globally they continually research operating
system and popular service software vulnerabilites leading to the discovery
of  "world first" issues. This not only keeps the team sharp but also helps
the industry and vendors as a whole ultimately protecting the end consumer.
As testimony to their ability and expertise one just has to look at exactly
how many major vulnerabilities have been discovered by the Cerberus Security
Team - over 40 to date, making them a clear leader of companies offering
such security services.

Founded in late 1999, by Mark and David Litchfield, Cerberus Information
Security, Ltd are located in London, UK but serves customers across the
World. For more information about Cerberus Information Security, Ltd please
visit their website or call on +44(0) 181 661 7405

Permission is hereby granted to copy or redistribute this advisory but only
in its entirety.

Copyright (C) 2000 by Cerberus Information Security, Ltd