Advisory: IIS 4.0 and 5.x metabase can reveal plaintext passwords
We knew that Windows NT/2000 passwords are stored in at least 7 different places across
the system. Here is a 8th place: the IIS metabase.
IIS uses its own configuration database, named "metabase", which can
be compared to the Windows Registry: the metabase is organised in Hives,
Keys and Values. It is stored in the following file:
The IIS metabase contains these passwords:
- IUSR_ComputerName account password,
- IWAM_ComputerName account password,
- UNC username and password used to connect to another server if one of
your virtual directories is located there,
- The user name and password used to connect to the ODBC DSN called
"HTTPLOG" (if you chose to store your Logs into a database).
Note that the usernames are in unicode, clear text, that the passwords are
srambled in the metabase.bin file, and that only Administrators and SYSTEM
have permissions on this file.
BUT a few lines of code in C++, in WSH or in an ASP page allow to print
these passwords in CLEAR TEXT.
The user name and password used to connect to the Logs DSN could allow a
malicious user to delete traces of his activities on the server.
Obviously this represents a significant risk for Web servers that allow
logons and/or remote access, although I did not see any exploit of the
problem I am reporting yet. Here is an example of what can be gathered:
© Patrick Chambet 1998
--- UNC User ---
UNC User name: 'Lou'
UNC User password: 'Microsoft'
UNC Authentication Pass Through: 'False'
--- Anonymous User ---
Anonymous User name: 'IUSR_SERVER'
Anonymous User password: 'x1fj5h_iopNNsp'
Password synchronization: 'False'
--- IIS Logs DSN User ---
ODBC DSN name: 'HTTPLOG'
ODBC table name: 'InternetLog'
ODBC User name: 'InternetAdmin'
ODBC User password: 'xxxxxx'
--- Web Applications User ---
WAM User name: 'IWAM_SERVER'
WAM User password: 'Aj8_g2sAhjlk2'
Default Logon Domain: ''
For example, you can imagine the following scenario:
A user Bob is allowed to logon only on a server hosting IIS 4.0, say
server (a). He does not need to be an Administrator. He can be for example
an IIS 4.0 Web Site Operator. Then, he launches the IISPwds tool that extracts
the login name and password of the account used to access to a virtual
directory located on another server, say (b).
Now, Bob can use these login name and passord to logon on server (b).
And so forth...
Microsoft was informed of this vulnerability, but did not consider that the threat due to this vulnerability was worth a patch...
The tool: IISPwds
IISPwds shows the passwords of the NT accounts cited above and used by Microsoft IIS 4.0 and 5.x in clear text. Note that this is a local version only. The version capable of retreiving remote passwords will not be released.
Go to the tools page to try other useful utilities.