NT的密码究竟放在哪

根据以前的发现,windowsNT密码虽然不象Windows95那样以简单加密形式包含在一个文件里面,而是一些杂乱的暗码,分别藏在7个不同的地方。这篇最新发表的文章告诉我们WindowsNT密码隐藏的第八个地方。Date: Mon, 22 Feb 1999 11:26:41 +0100

! e$ p# [% ~* \From: Patrick CHAMBET <pchambet@club-internet.fr>
7 O: @, A4 C) y
4 b1 R' s7 s5 ~/ dTo: sans@clark.net
Subject: Alert: IIS 4.0 metabase can reveal plaintext passwords
) D0 n4 }9 ]# z  @2 z! f# M8 LHi all,
We knew that Windows NT passwords are stored in 7 different places across
the system. Here is a 8th place: the IIS 4.0 metabase.
* f% o* L2 S$ _% |- H+ W- ]IIS 4.0 uses its own configuration database, named "metabase", which can
be compared to the Windows Registry: the metabase is organised in Hives,
: f" ^6 Q+ g( C) y5 K. n# mKeys and Values. It is stored in the following file:
C:\WINNT\system32\inetsrv\MetaBase.bin
8 U% b" Q3 Z! a" T# s5 F/ h1 zThe IIS 4.0 metabase contains these passwords:
5 I& m% j- D) }+ n( Q- IUSR_ComputerName account password (only if you have typed it in the
MMC)
- IWAM_ComputerName account password (ALWAYS !)
- UNC username and password used to connect to another server if one of
your virtual directories is located there.
- The user name and password used to connect to the ODBC DSN called
"HTTPLOG" (if you chose to store your Logs into a database).
Note that the usernames are in unicode, clear text, that the passwords are
* A  N4 o9 Z5 v( isrambled in the metabase.ini file, and that only Administrators and SYSTEM
have permissions on this file.
, U# Q8 u, Y/ I8 OBUT a few lines of script in a WSH script or in an ASP page allow to print
these passwords in CLEAR TEXT.
/ I% k& C( I5 d4 ~0 k  i: ~: AThe user name and password used to connect to the Logs DSN could allow a
malicious user to delete traces of his activities on the server.
Obviously this represents a significant risk for Web servers that allow
logons and/or remote access, although I did not see any exploit of the
, G6 V  u* _6 J7 Y4 \' Q! x# ]problem I am reporting yet. Here is an example of what can be gathered:
"
/ Y( E5 `( C! d5 D# f/ x, k3 @IIS 4.0 Metabase
' ^; _% S% I2 E$ q2 `- J$ n?Patrick Chambet 1998 - pchambet@club-internet.fr
--- UNC User ---
/ V0 y$ ~% a2 P8 B4 GUNC User name: 'Lou'
UNC User password: 'Microsoft'
: N+ X: ^) Y# a  }" r2 \8 M5 k' v+ oUNC Authentication Pass Through: 'False'
--- Anonymous User ---
3 ~' n9 U7 A9 g, n& P) ^" HAnonymous User name: 'IUSR_SERVER'
Anonymous User password: 'x1fj5h_iopNNsp'
+ |$ F) y7 M1 j( D5 t$ hPassword synchronization: 'False'
5 F- E3 K4 A4 h* j8 O--- IIS Logs DSN User ---
ODBC DSN name: 'HTTPLOG'
3 F0 L. l) {# m, n) p* G$ N7 |ODBC table name: 'InternetLog'
ODBC User name: 'InternetAdmin'
5 `( g0 D/ B7 T1 E* z2 s' aODBC User password: 'xxxxxx'
4 S. H+ |( m* @9 Y--- Web Applications User ---
6 D- m+ e8 }: Q) {6 b6 {, gWAM User name: 'IWAM_SERVER'
4 f2 v4 K* q" x! D3 b1 iWAM User password: 'Aj8_g2sAhjlk2'
1 H1 L) R) y) k0 o9 h3 ]Default Logon Domain: ''
4 ]) Z$ W  o( b$ c"
1 w/ ~0 E0 I$ [2 sFor example, you can imagine the following scenario:
. `/ p7 a6 N$ ~; B& T1 @3 kA user Bob is allowed to logon only on a server hosting IIS 4.0, say
server (a). He need not to be an Administrator. He can be for example
0 s( K" u0 D( Q! [an IIS 4.0 Web Site Operator. Then, he launches a WSH script that extracts
3 D9 S9 H/ O& J% Uthe login name and password of the account used to access to a virtual
directory located on another server, say (b).
Now, Bob can use these login name and passord to logon on server (b).
And so forth...
Microsoft was informed of this vulnerability.
_______________________________________________________________________
5 V/ e7 ~3 B' IPatrick CHAMBET - pchambet@club-internet.fr
2 K3 |  }* c* l( c6 b2 h' wMCP NT 4.0
Internet, Security and Microsoft solutions
: k& k5 Y: Z4 x" ^e-business Services
0 w1 R6 }7 V/ J( B- p3 b3 @IBM Global Services