NT的密碼究竟放在哪

根據(jù)以前的發(fā)現(xiàn),windowsNT密碼雖然不象Windows95那樣以簡(jiǎn)單加密形式包含在一個(gè)文件里面,而是一些雜亂的暗碼,分別藏在7個(gè)不同的地方。這篇最新發(fā)表的文章告訴我們WindowsNT密碼隱藏的第八個(gè)地方。Date: Mon, 22 Feb 1999 11:26:41 +0100
2 U1 u9 b, C: P$ S
5 ~+ t- j3 J4 U: U6 fFrom: Patrick CHAMBET <pchambet@club-internet.fr>
8 {0 S9 }: Z% F$ i; d0 p% W/ {
To: sans@clark.net
Subject: Alert: IIS 4.0 metabase can reveal plaintext passwords
+ Q0 H0 ~  ^& pHi all,
) N1 u  z3 ?* {/ o) SWe knew that Windows NT passwords are stored in 7 different places across
- I! X$ E; x4 O; N$ fthe system. Here is a 8th place: the IIS 4.0 metabase.
! |0 ?& V) G- v4 ^$ P* o* I* K9 cIIS 4.0 uses its own configuration database, named "metabase", which can
be compared to the Windows Registry: the metabase is organised in Hives,
2 g/ C4 L$ H8 f2 IKeys and Values. It is stored in the following file:
& b5 v1 {) J/ _4 n. KC:\WINNT\system32\inetsrv\MetaBase.bin
' z/ o* _' K$ ^The IIS 4.0 metabase contains these passwords:
- IUSR_ComputerName account password (only if you have typed it in the
& f' ^, S0 r: x* J+ }+ a9 q4 FMMC)
- IWAM_ComputerName account password (ALWAYS !)
# Y5 M7 g% }6 e- UNC username and password used to connect to another server if one of
your virtual directories is located there.
- The user name and password used to connect to the ODBC DSN called
"HTTPLOG" (if you chose to store your Logs into a database).
: v% s8 d8 I0 b5 ]6 [Note that the usernames are in unicode, clear text, that the passwords are
3 v3 F1 K& Q& Xsrambled in the metabase.ini file, and that only Administrators and SYSTEM
1 V4 ?& L# w0 r2 F, \: S7 y( |have permissions on this file.
BUT a few lines of script in a WSH script or in an ASP page allow to print
7 Q6 l  H0 S% H& Y  hthese passwords in CLEAR TEXT.
* t" f' _! m( `0 F" ~. wThe user name and password used to connect to the Logs DSN could allow a
malicious user to delete traces of his activities on the server.
Obviously this represents a significant risk for Web servers that allow
. V$ `5 A3 q- y$ J& b. \! vlogons and/or remote access, although I did not see any exploit of the
problem I am reporting yet. Here is an example of what can be gathered:
& M. }4 b. T( e5 P2 F"
IIS 4.0 Metabase
?Patrick Chambet 1998 - pchambet@club-internet.fr
1 v* D! t# k5 P4 R, H! l--- UNC User ---
, O$ Y; w9 h/ p! qUNC User name: 'Lou'
UNC User password: 'Microsoft'
UNC Authentication Pass Through: 'False'
2 j1 S% n$ i/ Z" n--- Anonymous User ---
& p3 i8 b5 z! ]1 x/ L6 }& F& aAnonymous User name: 'IUSR_SERVER'
Anonymous User password: 'x1fj5h_iopNNsp'
# {& t5 ^$ w9 l! L& mPassword synchronization: 'False'
3 y2 `; _' \* E9 t" l" l7 l$ C- I--- IIS Logs DSN User ---
0 z, q  z8 e* ~) S5 @2 CODBC DSN name: 'HTTPLOG'
  r. y( u  r( m; d; X2 v6 PODBC table name: 'InternetLog'
ODBC User name: 'InternetAdmin'
ODBC User password: 'xxxxxx'
--- Web Applications User ---
+ _6 C0 C6 b4 P8 o. uWAM User name: 'IWAM_SERVER'
3 |1 N" m& |8 L" KWAM User password: 'Aj8_g2sAhjlk2'
( l, y1 w; t. c; h7 q$ U" TDefault Logon Domain: ''
& t( K: K! ?8 I"
For example, you can imagine the following scenario:
A user Bob is allowed to logon only on a server hosting IIS 4.0, say
server (a). He need not to be an Administrator. He can be for example
9 a( B6 n. }1 s: H6 t9 ~* aan IIS 4.0 Web Site Operator. Then, he launches a WSH script that extracts
the login name and password of the account used to access to a virtual
0 ?: J2 Y9 ~5 c. G. D9 q1 Ndirectory located on another server, say (b).
7 k; E0 l& [  Z) eNow, Bob can use these login name and passord to logon on server (b).
And so forth...
3 r3 l: X- D! h, oMicrosoft was informed of this vulnerability.
) h4 D' K8 ^! k! Q0 y  `_______________________________________________________________________
Patrick CHAMBET - pchambet@club-internet.fr
MCP NT 4.0
% Q9 n( T. |* F4 s( t! R/ EInternet, Security and Microsoft solutions
* N; M0 a- q5 Q0 ]6 q% Me-business Services
IBM Global Services