Vulnerabilities > CVE-1999-1538 - Remote Web-Based Administration vulnerability in Microsoft Internet Information Server 4.0

047910
CVSS 2.1 - LOW
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
local
low complexity
microsoft
nessus
exploit available
NVD
Published: 1999-01-14
Updated: 2016-10-18

Summary

When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in /scripts/iisadmin, which does not restrict access to the local machine and allows an unauthorized user to gain access to sensitive server information, including the Administrator's password.

Vulnerable Configurations

Part Description Count
Application
Microsoft
1

Exploit-Db

descriptionNT IIS4 Remote Web-Based Administration Vulnerability. CVE-1999-1538. Remote exploit for windows platform
idEDB-ID:19147
last seen2016-02-02
modified1999-01-14
published1999-01-14
reporterMnemonix
sourcehttps://www.exploit-db.com/download/19147/
titleNT IIS4 - Remote Web-Based Administration Vulnerability

Nessus

NASL familyWeb Servers
NASL idIISADMIN.NASL
descriptionWhen Microsoft Internet Information Server (IIS) 4.0 is upgraded from version 2.0 or 3.0 the ism.dll file is left in the /scripts/iisadmin directory. This script discloses sensitive information via a specially crafted URL which could lead to elevated privileges. An attacker could use this to gain access to the administrator
last seen2020-06-01
modified2020-06-02
plugin id10358
published2000-04-01
reporterThis script is Copyright (C) 2000-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10358
titleMicrosoft IIS /iisadmin Unrestricted Access
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
 script_id(10358);
 script_version ("1.31");
 script_cvs_date("Date: 2018/11/15 20:50:25");

 script_cve_id("CVE-1999-1538");
 script_bugtraq_id(189);

 script_name(english:"Microsoft IIS /iisadmin Unrestricted Access");
 script_summary(english:"Checks for the presence of /iisadmin");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by a privilege escalation
vulnerability.");
 script_set_attribute(attribute:"description", value:
"When Microsoft Internet Information Server (IIS) 4.0 is upgraded from
version 2.0 or 3.0 the ism.dll file is left in the /scripts/iisadmin
directory. This script discloses sensitive information via a specially
crafted URL which could lead to elevated privileges. An attacker could
use this to gain access to the administrator's password.");
 script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=91638375309890&w=2");
 script_set_attribute(attribute:"solution", value:
"Restrict access to /iisadmin through the IIS ISM.");
 script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"plugin_publication_date", value: "2000/04/01");
 script_set_attribute(attribute:"vuln_publication_date", value: "1999/01/14");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:iis");
 script_end_attributes();
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.");
 script_family(english:"Web Servers");

 script_dependencie("find_service1.nasl", "http_version.nasl", "www_fingerprinting_hmap.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

banner = get_http_banner(port:port);
if ( ! banner || "Microsoft-IIS/" >!< banner ) exit(0);
if ( ! get_port_state(port) ) exit(0);

res = http_send_recv3(method:"GET", item:"/iisadmin/", port:port);
if (isnull(res)) exit(1, "The web server on port "+port+" failed to respond.");
if ( ereg(pattern:"HTTP/[01]\.[01] 200 ", string:res[2]) &&
     "<TITLE>IIS Internet Services Manager (HTMLA)</TITLE>" >< res[2] ) security_note(port);

References