根據(jù)以前的發(fā)現(xiàn),windowsNT密碼雖然不象Windows95那樣以簡單加密形式包含在一個(gè)文件里面,而是一些雜亂的暗碼,分別藏在7個(gè)不同的地方����。這篇最新發(fā)表的文章告訴我們WindowsNT密碼隱藏的第八個(gè)地方����。Date: Mon, 22 Feb 1999 11:26:41 +0100
, d1 |/ d& @. Q0 J
5 n- z. ~+ J$ g k4 Y6 EFrom: Patrick CHAMBET <pchambet@club-internet.fr>2 h- u- h' H$ D7 N) ^$ y
& D! }: q8 w! Y# U7 i
To: sans@clark.net
4 W1 N1 u4 U6 Q$ q6 JSubject: Alert: IIS 4.0 metabase can reveal plaintext passwords+ n9 ?1 Y2 S* ^( g
Hi all,: d5 c; `' n! e* }3 Z# B
We knew that Windows NT passwords are stored in 7 different places across
# m" j! L* s, D: {the system. Here is a 8th place: the IIS 4.0 metabase.
4 X# [9 H6 I2 \, S6 K$ K/ qIIS 4.0 uses its own configuration database, named "metabase", which can. q6 u; i3 J. Y6 b+ b; }4 t
be compared to the Windows Registry: the metabase is organised in Hives, A' e2 D i9 P
Keys and Values. It is stored in the following file:2 O3 P( r! W: _% ]1 z! @
C:\WINNT\system32\inetsrv\MetaBase.bin. }, Y/ I' G, n' b! A
The IIS 4.0 metabase contains these passwords:
% |# b8 p( q8 ]7 R" ?- IUSR_ComputerName account password (only if you have typed it in the
% G' p# O$ M' o# GMMC)
& u" v) B8 X5 d n: _# d- IWAM_ComputerName account password (ALWAYS !)1 |* X3 m( A! m! m, Q7 F9 A
- UNC username and password used to connect to another server if one of
5 z* H, ]% _& p, g! O6 `9 _your virtual directories is located there.
" @: W4 N1 ] `" z. i6 I+ Y' u- The user name and password used to connect to the ODBC DSN called; z. @8 T2 g3 k7 k1 K6 V; ^
"HTTPLOG" (if you chose to store your Logs into a database).+ K; y) v$ s5 i( ~5 W
Note that the usernames are in unicode, clear text, that the passwords are- p1 R+ J* C. \* c# i4 T
srambled in the metabase.ini file, and that only Administrators and SYSTEM
) H8 t, s; O) [have permissions on this file.# N* P3 e6 X3 g( q
BUT a few lines of script in a WSH script or in an ASP page allow to print
) F( _! r4 s4 I: s* Sthese passwords in CLEAR TEXT.' Y3 v! R% ]' C# I2 L; `
The user name and password used to connect to the Logs DSN could allow a
7 v7 o. J& ~: D$ Jmalicious user to delete traces of his activities on the server.
, m* E; J I0 ^/ e. NObviously this represents a significant risk for Web servers that allow* [+ S" c* |7 g# w6 a/ l4 P# T7 Y
logons and/or remote access, although I did not see any exploit of the* W3 H$ v j! d
problem I am reporting yet. Here is an example of what can be gathered:
8 Z# A7 u# b' H4 X& C"- C) D" Z+ t0 f* c5 ^
IIS 4.0 Metabase
2 T" r* I$ r" q, `?Patrick Chambet 1998 - pchambet@club-internet.fr
2 y) v% T& [8 {# I--- UNC User ---3 B" o% C+ k- I/ Y" e$ E
UNC User name: 'Lou'/ e0 k }7 z% n/ s& o
UNC User password: 'Microsoft'
" W% c$ Y7 L; y( Z% q2 s, t4 ZUNC Authentication Pass Through: 'False'
0 t& ~2 L: i+ D2 I: Z2 O--- Anonymous User ---
# |8 ^; W% s' V# m0 `5 v* R K) QAnonymous User name: 'IUSR_SERVER'9 L4 D7 D. d3 _# b: P. _" |
Anonymous User password: 'x1fj5h_iopNNsp'; o3 ~2 C# g* `0 Q h
Password synchronization: 'False': I. A2 Q1 ^$ b2 P6 v
--- IIS Logs DSN User ---# `& s6 f: N6 ? C S8 z. ^
ODBC DSN name: 'HTTPLOG'6 X3 E b6 A& ~& c& @7 f
ODBC table name: 'InternetLog'8 T4 n6 F( F: ?, H" u1 w) m' T
ODBC User name: 'InternetAdmin'5 U3 [# {: I8 m* I, V9 n) {* d6 k
ODBC User password: 'xxxxxx'1 J7 v5 s( b P* {" k- G
--- Web Applications User ---: `; m0 q) K5 ^3 S
WAM User name: 'IWAM_SERVER'
( I# G2 J& O: s, L, P: _3 eWAM User password: 'Aj8_g2sAhjlk2'
7 |" k4 k3 z' M, m- p% D$ VDefault Logon Domain: ''
2 M, ]3 }1 ^' e% U"
, k1 e4 d3 G* CFor example, you can imagine the following scenario:
. |( c- T. z+ s6 v" TA user Bob is allowed to logon only on a server hosting IIS 4.0, say
2 ~$ n, ~. F' @1 r' C% n, h0 jserver (a). He need not to be an Administrator. He can be for example
/ l* Z8 ?8 S) s7 _$ Fan IIS 4.0 Web Site Operator. Then, he launches a WSH script that extracts
$ I3 G8 Y4 Q3 N' g5 T& J0 O& P g7 tthe login name and password of the account used to access to a virtual, G- W+ Q8 w( a9 j9 c' l% I5 o9 T
directory located on another server, say (b).
+ o, `6 m4 e5 h% Q" S7 cNow, Bob can use these login name and passord to logon on server (b).7 X9 w# m# w- \* S! y
And so forth...
5 u- u( O p$ H' GMicrosoft was informed of this vulnerability.
4 V9 \7 \7 k" Z, G! p_______________________________________________________________________5 r7 B$ N5 x4 c# X
Patrick CHAMBET - pchambet@club-internet.fr0 h4 U0 q B( H& b" a
MCP NT 4.0) Y7 g4 J6 s; @" h! e) H
Internet, Security and Microsoft solutions+ ?; n9 ?( Y# C8 @
e-business Services
# r4 ?! f) ?: F ]3 B1 C1 SIBM Global Services
0 ]' [& e2 [6 z |
發(fā)表于 2011-1-12 21:01:17
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡