NT的密碼究竟放在哪

根據(jù)以前的發(fā)現(xiàn),windowsNT密碼雖然不象Windows95那樣以簡單加密形式包含在一個文件里面,而是一些雜亂的暗碼,分別藏在7個不同的地方。這篇最新發(fā)表的文章告訴我們WindowsNT密碼隱藏的第八個地方。Date: Mon, 22 Feb 1999 11:26:41 +0100
% T2 J5 D! [) o, u
From: Patrick CHAMBET <pchambet@club-internet.fr>
( b8 [5 x( Y- ]
! z- {$ I0 P8 c/ {2 }8 tTo: sans@clark.net
; S9 p/ ?# V! Y; d0 GSubject: Alert: IIS 4.0 metabase can reveal plaintext passwords
+ {) A3 l$ L& D9 I, {2 {, X& ^) XHi all,
4 B' f% c5 x* Z0 Y& Y  x. O2 ]We knew that Windows NT passwords are stored in 7 different places across
the system. Here is a 8th place: the IIS 4.0 metabase.
IIS 4.0 uses its own configuration database, named "metabase", which can
7 A+ |1 d: H" c  c4 h" m. g, u3 _be compared to the Windows Registry: the metabase is organised in Hives,
7 ]' J  r9 F& D: T  ]Keys and Values. It is stored in the following file:
C:\WINNT\system32\inetsrv\MetaBase.bin
The IIS 4.0 metabase contains these passwords:
- IUSR_ComputerName account password (only if you have typed it in the
MMC)
5 N4 ]. z& k( C/ u% l& T- IWAM_ComputerName account password (ALWAYS !)
- UNC username and password used to connect to another server if one of
your virtual directories is located there.
/ h2 ^/ q. u3 g5 ?1 H- The user name and password used to connect to the ODBC DSN called
" {- [' n/ |: H"HTTPLOG" (if you chose to store your Logs into a database).
5 B2 C( M1 K2 G1 \( |4 T& B3 o! k1 YNote that the usernames are in unicode, clear text, that the passwords are
/ W' Z+ d1 z$ Xsrambled in the metabase.ini file, and that only Administrators and SYSTEM
have permissions on this file.
/ G) Z, M4 v% g) _) m; }+ hBUT a few lines of script in a WSH script or in an ASP page allow to print
these passwords in CLEAR TEXT.
0 e1 p' `; ^5 }, ~9 g* p1 _8 ^( \* _4 SThe user name and password used to connect to the Logs DSN could allow a
- @) ^+ p) S, F5 o: ^" {# n8 p/ ^( emalicious user to delete traces of his activities on the server.
2 s! s$ g+ p: h7 zObviously this represents a significant risk for Web servers that allow
. g7 I* {2 D2 h* ologons and/or remote access, although I did not see any exploit of the
& \" q0 M& m  I# c( v9 Yproblem I am reporting yet. Here is an example of what can be gathered:
"
IIS 4.0 Metabase
?Patrick Chambet 1998 - pchambet@club-internet.fr
--- UNC User ---
UNC User name: 'Lou'
! B; j/ v) Z7 ~% x# m  DUNC User password: 'Microsoft'
2 E; y# r: T: k- x, v3 u5 aUNC Authentication Pass Through: 'False'
* q6 N; m# }9 h0 R$ Q" K. i/ x, K--- Anonymous User ---
* H7 t) k! A" B7 @$ WAnonymous User name: 'IUSR_SERVER'
# ^: R3 b5 p! R$ e. j( dAnonymous User password: 'x1fj5h_iopNNsp'
9 R: y& X  m! H3 F0 o. }Password synchronization: 'False'
--- IIS Logs DSN User ---
- B" ~  w% B1 j( Y+ eODBC DSN name: 'HTTPLOG'
" Y9 f) w6 e; h' W/ mODBC table name: 'InternetLog'
4 Y4 ~$ p/ U3 iODBC User name: 'InternetAdmin'
2 p/ r2 |& ]6 \& a0 hODBC User password: 'xxxxxx'
, z" S  S- x2 E7 }) W--- Web Applications User ---
WAM User name: 'IWAM_SERVER'
7 P/ M, t5 ~; K! yWAM User password: 'Aj8_g2sAhjlk2'
Default Logon Domain: ''
"
4 T4 Y7 y+ r0 r4 u3 M& ^/ JFor example, you can imagine the following scenario:
7 A! y9 F9 W4 R' Y: [A user Bob is allowed to logon only on a server hosting IIS 4.0, say
3 K7 k* o' ~0 |server (a). He need not to be an Administrator. He can be for example
an IIS 4.0 Web Site Operator. Then, he launches a WSH script that extracts
the login name and password of the account used to access to a virtual
9 k# z: C) X- R4 m! O8 e  j0 Ldirectory located on another server, say (b).
Now, Bob can use these login name and passord to logon on server (b).
And so forth...
Microsoft was informed of this vulnerability.
& q% Y+ R0 k" _- k2 }( E_______________________________________________________________________
4 M, Z) a, }/ ]# n* p' J' ePatrick CHAMBET - pchambet@club-internet.fr
% }# z8 {0 P$ }; i: e1 B, V1 Z; ^MCP NT 4.0
, S- n* \# ^& v& W; V4 nInternet, Security and Microsoft solutions
8 e$ {# l0 a. c) W4 Q, Ne-business Services
IBM Global Services