Microsoft IIS is a popular web server package for Windows NT based
platforms. Version 4.0 of IIS installs a remotely accessible directory,
/IISADMPWD - mapped to c:\winnt\system32\inetsrv\iisadmpwd, which
contains a number of vulnerable .HTR files.
These were designed to allow system administrators the ability to
provide HTTP based password change services to network users. The affected
files, achg.htr, aexp*.htr, and anot*.htr can be used in this manner. A
Microsoft bulletin on the feature recommends using /IISADMPWD/aexp.htr for
this purpose. Requesting one of the listed .htr files returns a form that
requests the account name, current password, and changed password.
This can be used to determine whether or not the account requested exists
on the host, as well as conduct brute force attacks. If the account does not
exist, the message "invalid domain" is returned - if it does, but the password
change was unsuccessful, the attacker is notified.
This be used against the server and against other machines connected to
the local network (and possibly even other machines on the internet), by
preceding the account name with an IP address and a backslash (e.g., XXX.XXX.XXX.XXX\ACCOUNT).
The server contacts the networked machine through the NetBIOS session port and attempts
to change the password.