Microsoft Site Server LDAP_Anonymous user account generates weak passwords
| siteserver-ldap-weak-passwords (8073) |  Low Risk |
Description:
Microsoft Site Server version 3.0 SP4 running on Windows NT 4.0 generates weak passwords for the LDAP_Anonymous user account. If the server does not have the "schannel.dll" file installed, the password is generated using the local time. A remote attacker can obtain this information by connecting to the NetBIOS port (TCP port 139) to make a NULL session NetBIOS query.
Platforms Affected:
- Microsoft, Site Server 3.0 SP4
- Microsoft, Site Server Commerce 3.0 SP4
Remedy:
No remedy available as of July 4, 2009.
Consequences:
Obtain Information
References:
- rain forest puppy advisory RFP2201, MS Site Server Evilness at http://marc.theaimsgroup.com/?l=vulnwatch&m=101235440104716&w=2.
- BID-4007: Microsoft Site Server 3.0 Weak LDAP_Anonymous Password Generation Vulnerability
Reported:
Jan 29, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net