How to verify “Account Brute Force Possible Through IIS localstart.asp Authentication Interface” vulnerability?

By | February 22, 2017

Qualys scanning found a vulnerabilities-“Account Brute Force Possible Through IIS localstart.asp Authentication Interface” as below. I need to do black box testing to verify this vulnerability.

If anybody would be willing to help, it would be greatly appreciated!

THREAT:
The file “localstart.asp” is part of the default Microsoft IIS install. By default it is password protected using Windows Integrated Authentication which will prompt the user requesting this file for username/password using an HTTP Access authentication window.

IMPACT:
If the host has an account lockout policy in place, a remote user may use this authentication interface to lockout a local user, provided that the name of the local user is known.

If the host does not have an account lockout policy in place, a remote user may use this authentication interface to brute force user passwords.

Note that Windows user list may sometimes be obtained by exploiting other vulnerabilities. Windows also has a few easy-to-guess default names for built-in accounts: “Administrator” for administering the computer/domain, “Guest” for guest access, “IUSR_” for anonymous access to IIS, “IWAM_” for IIS to start out of process applications, etc. Here the machine name may be obtained via Windows UDP Netbios NS (port 137).

Among the above built-in accounts, the account lockout policy, even if it is in place, does not apply to the administrator account. So if the host uses a default name of “Administrator” for the administrator account, the password brute force of this account is possible through the “Printers” authentication interface.

SOLUTION:

Run the ‘Internet Services Manager’ under ‘Settings > Control Panel > Administrative Tools > Internet Services Manager’.
In the left pane labeled “Tree”, select “Default Web Site”.
In the right pane, right click on “localstart.asp”, and select “Delete”, which will remove this file from your IIS installation.
Restart your IIS server to remove any cached information related to this file.

It has been reported that the issue may not be fixed by removing the file from the www root directory. In this case, you may keep the file but change its security settings as follows:

1. Click on “Start”, right click on “My Computer”, select “Manage”.
2. Go to “Services and Applications -> Internet Information Service -> Web Sites -> Default Web Site”.
3. Right click on “localstart.asp” and select “Properties”.
4. On the “File Security” tab, click to clear “Integrated Windows authentication”.
5. Restart the web server.

Leave a Reply

Your email address will not be published. Required fields are marked *