I cut and pasted this from the ISS Xforce website http://www.iss.net/xforce frontpage-pwd-users (3392) Low Risk FrontPage Extensions users.pwd file could reveal encrypted passwords Description: Microsoft FrontPage Extensions creates a file users.pwd inside the _vti_pvt directory in the HTTP server's document root. This file contains encrypted passwords which could be remotely retrieved by an attacker and cracked offline. If the passwords in this file are weak enough, or enough time is spent cracking them, the attacker could potentially obtain the plaintext password and use it to access resources on the server. Platforms Affected: Microsoft FrontPage All versions Remedy: Make sure passwords chosen for FrontPage accounts are strong enough to subvert cracking attempts if the hashes are obtained by an attacker. Also, the permissions on the _vti_pvt directory and the *.pwd files therein should be modified to disallow remote attackers from retrieving them. This work-around may or may not adversely affect the normal operation of the FrontPage server. Consequences: Gain Info References: Microsoft Product Support Services, "Minimum Access Permissions Required on Internet Information Server" at http://support.microsoft.com/support/frontpage/Q152306/default.asp
Joe H. Clifton, II Security Team Lead Office Depot 2200 Old Germantown Rd Delray Beach, FL 33445 e-mail: [EMAIL PROTECTED] Office: 561-438-7906 Fax: 561-438-7633 2-way pgr: 877-542-0129 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, November 26, 2001 1:42 PM To: [EMAIL PROTECTED] Subject: FTP Vulnerability via Front Page Extensions? I am running W2kserver and IIS 5.0 with Front Page 2000 extensions installed. I have (or at least "had") anonymous access (READ only) set up for my FTP service until last week when I discovered that my rather large hard drive was completely full. I did some digging around and checked all of my IIS logs in the process. I discovered a ton of hits such as the log excerpt pasted in below: 04:32:36 xxx.xxx.xxx.xxx [3]USER anonymous 331 04:32:36 xxx.xxx.xxx.xxx [3]PASS [EMAIL PROTECTED] 230 04:38:22 xxx.xxx.xxx.xxx [3]sent /_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+team/DivX/10.1 8.01.The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r36 226 04:46:10 xxx.xxx.xxx.xxx [3]sent /_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+team/DivX/10.1 8.01.The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r37 226 04:54:02 xxx.xxx.xxx.xxx [3]sent /_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+team/DivX/10.1 8.01.The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r38 226 05:01:43 xxx.xxx.xxx.xxx [3]sent /_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+team/DivX/10.1 8.01.The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r39 226 05:08:59 xxx.xxx.xxx.xxx [3]sent /_vti_pvt/tag/com/test/tagged/and/upped/by/solfe/4/all+french+team/DivX/10.1 8.01.The.Animal.FRENCH.DVDiVX-SEQ/ta-seq.r40 226 If you will notice the "/_vti_pvt" folder, this was the case every time this site was hacked into. According to my logs, this took place over the course of about two weeks and was hit from several different IP Addresses. The "/_vti_pvt" folder is a Front Page Extensions folder and it is my guess that this is a vulnerability that has something to do with Front Page permissions coupled with IIS 5.0 FTP service. Since then, I have deleted all of the sub folders under the "/_vti_pvt" folder and removed anonymous access and removed the anonymous user account completely from the file system permissions as well. I have also set the FTP service to manual and limited simultaneous FTP connections to one, which will allow me to remotely start the FTP service and then connect and have me be the only allowed connection during my session. I have had no such hits since I made these changes. A colleague of mine had the same exact issue with his home server, but under a different alias. Does anyone know of such a vulnerability? I would like to be able to allow anonymous access to my server because it allows me to do a lot of favors for friends and relatives. Take care.. happy holidays and thanks in advance, Rob Edmiston
