NT的密碼究竟放在哪

根據(jù)以前的發(fā)現(xiàn),windowsNT密碼雖然不象Windows95那樣以簡單加密形式包含在一個(gè)文件里面,而是一些雜亂的暗碼,分別藏在7個(gè)不同的地方。這篇最新發(fā)表的文章告訴我們WindowsNT密碼隱藏的第八個(gè)地方。Date: Mon, 22 Feb 1999 11:26:41 +0100
8 f3 m/ d1 t) V% L/ {5 }
/ ~1 f' m! j. z, F- c' n8 NFrom: Patrick CHAMBET <pchambet@club-internet.fr>
1 x5 Z0 ]4 q$ L$ U1 e/ Y
To: sans@clark.net
! Q/ Q" o3 w1 c. M" f2 VSubject: Alert: IIS 4.0 metabase can reveal plaintext passwords
Hi all,
' Y2 M7 R3 y7 z' P2 Q# A; M: f8 ]We knew that Windows NT passwords are stored in 7 different places across
1 v4 D& J/ u- L, o& i: Z3 U& athe system. Here is a 8th place: the IIS 4.0 metabase.
5 J0 O5 g( f% g5 `) eIIS 4.0 uses its own configuration database, named "metabase", which can
be compared to the Windows Registry: the metabase is organised in Hives,
Keys and Values. It is stored in the following file:
C:\WINNT\system32\inetsrv\MetaBase.bin
The IIS 4.0 metabase contains these passwords:
+ @+ q* x3 I- C! R- IUSR_ComputerName account password (only if you have typed it in the
4 l7 G- q# v2 g" S6 Q( e0 _! {MMC)
- IWAM_ComputerName account password (ALWAYS !)
- r  G; v# R. c3 d- UNC username and password used to connect to another server if one of
5 E8 l1 S4 G& o7 q$ X) ryour virtual directories is located there.
- The user name and password used to connect to the ODBC DSN called
"HTTPLOG" (if you chose to store your Logs into a database).
Note that the usernames are in unicode, clear text, that the passwords are
, ]; L: X0 o* a! Xsrambled in the metabase.ini file, and that only Administrators and SYSTEM
have permissions on this file.
. }9 U; M1 J* B& [* E% QBUT a few lines of script in a WSH script or in an ASP page allow to print
these passwords in CLEAR TEXT.
8 q, b0 k- ~# L% T* M: SThe user name and password used to connect to the Logs DSN could allow a
, [/ S) \, n' @  P7 m* xmalicious user to delete traces of his activities on the server.
Obviously this represents a significant risk for Web servers that allow
4 [' y$ ~" L  v: Ylogons and/or remote access, although I did not see any exploit of the
problem I am reporting yet. Here is an example of what can be gathered:
4 g9 p8 n6 H8 G& A% Y: r"
) S+ C; h: O4 EIIS 4.0 Metabase
5 D+ F& {& l1 v( V; Y# y4 e?Patrick Chambet 1998 - pchambet@club-internet.fr
--- UNC User ---
UNC User name: 'Lou'
* _0 P$ b! t8 oUNC User password: 'Microsoft'
UNC Authentication Pass Through: 'False'
$ y8 x" @" w- A- j$ m--- Anonymous User ---
+ _  C" t' n- ~1 V' p+ w( XAnonymous User name: 'IUSR_SERVER'
+ k$ L+ C7 z: `+ hAnonymous User password: 'x1fj5h_iopNNsp'
Password synchronization: 'False'
" z, d/ n9 l5 }( D5 F* W--- IIS Logs DSN User ---
  b! R& ?, O. f) I) `  SODBC DSN name: 'HTTPLOG'
+ y! b, @' }2 s1 N% DODBC table name: 'InternetLog'
ODBC User name: 'InternetAdmin'
0 |+ b, L' P, _: GODBC User password: 'xxxxxx'
9 C; m3 o8 }" T) }* ]--- Web Applications User ---
WAM User name: 'IWAM_SERVER'
, A, c" C$ `% d3 A8 C+ f: A: YWAM User password: 'Aj8_g2sAhjlk2'
. A9 A: u- g8 O' IDefault Logon Domain: ''
"
For example, you can imagine the following scenario:
5 Z, ~* E7 G9 Z! q$ r- d$ cA user Bob is allowed to logon only on a server hosting IIS 4.0, say
server (a). He need not to be an Administrator. He can be for example
an IIS 4.0 Web Site Operator. Then, he launches a WSH script that extracts
the login name and password of the account used to access to a virtual
directory located on another server, say (b).
4 _1 Z1 L. }, |7 LNow, Bob can use these login name and passord to logon on server (b).
1 _( W) E# B9 h# j; EAnd so forth...
Microsoft was informed of this vulnerability.
_______________________________________________________________________
Patrick CHAMBET - pchambet@club-internet.fr
: g6 f; k3 _, f$ D1 D8 |MCP NT 4.0
Internet, Security and Microsoft solutions
e-business Services
IBM Global Services
7 V- N: O) g/ G9 h