根据以前的发现,windowsNT密码虽然不象Windows95那样以简单加密形式包含在一个文件里面,而是一些杂乱的暗码,分别藏在7个不同的地方。这篇最新发表的文章告诉我们WindowsNT密码隐藏的第八个地方。Date: Mon, 22 Feb 1999 11:26:41 +0100
* ?4 e9 b. s L2 T$ _9 g- k( p+ Q7 `; D
From: Patrick CHAMBET <pchambet@club-internet.fr>
( q, R, p/ s% b3 q6 ]: C1 W& ]4 j
3 B( R0 j) ?: |9 ~4 `5 m& bTo: sans@clark.net
6 v- M- C4 l% \Subject: Alert: IIS 4.0 metabase can reveal plaintext passwords
% y* M1 _+ I% b9 v4 n! ZHi all,& f8 B+ u- l! H$ D
We knew that Windows NT passwords are stored in 7 different places across
+ T1 n. {' P3 E3 G% [' w/ ythe system. Here is a 8th place: the IIS 4.0 metabase.. c; h& |8 t9 i1 h; t7 {9 c6 r
IIS 4.0 uses its own configuration database, named "metabase", which can
, V; Q7 A% P+ `- _9 [- mbe compared to the Windows Registry: the metabase is organised in Hives,1 b2 l2 c6 s: ?2 n; S# L W9 B
Keys and Values. It is stored in the following file:
4 ~/ ?$ V: M/ L0 n: ZC:\WINNT\system32\inetsrv\MetaBase.bin
; R9 d- s7 ^; h' H9 N" qThe IIS 4.0 metabase contains these passwords:
3 c1 [1 [5 D7 _- IUSR_ComputerName account password (only if you have typed it in the" }5 v: Z. J6 r) i
MMC)1 e/ E7 ^2 u H4 B
- IWAM_ComputerName account password (ALWAYS !)1 z9 ^7 i( g$ v g/ w$ n, v8 l
- UNC username and password used to connect to another server if one of
, i! s* r# a( r! a9 k+ jyour virtual directories is located there.
2 c( |: J0 u) x& t5 @" X0 R7 g- The user name and password used to connect to the ODBC DSN called0 q( k+ F* o( m
"HTTPLOG" (if you chose to store your Logs into a database).
( e& L0 z/ c |0 tNote that the usernames are in unicode, clear text, that the passwords are0 O1 H; R0 ?) R; L% b
srambled in the metabase.ini file, and that only Administrators and SYSTEM
$ K6 U2 d4 t6 {& xhave permissions on this file.
$ k; r3 O2 m) x* |1 q! S2 fBUT a few lines of script in a WSH script or in an ASP page allow to print
( v1 O; O+ C# w$ ?these passwords in CLEAR TEXT.
$ m9 q9 \/ a( h& eThe user name and password used to connect to the Logs DSN could allow a; G8 O9 ]( a( X+ E& k7 I6 v6 x
malicious user to delete traces of his activities on the server.
) E3 \6 Y; }" N0 q N4 ^* z" iObviously this represents a significant risk for Web servers that allow
2 y2 z2 R9 r$ Z( _( |logons and/or remote access, although I did not see any exploit of the
, S; I8 _# ? t7 mproblem I am reporting yet. Here is an example of what can be gathered:5 ~6 R$ @4 h2 V5 d8 O
": D7 N4 j" E x* r
IIS 4.0 Metabase
2 Y! {$ ~6 A1 {# w?Patrick Chambet 1998 - pchambet@club-internet.fr1 q2 \% v- f7 S
--- UNC User ---
% f) f- N) a2 |4 u% V* h3 x1 I% O1 `UNC User name: 'Lou'
# t% }, Q6 r0 S+ z8 y6 @UNC User password: 'Microsoft'
& ~1 C; i# R! v* c: EUNC Authentication Pass Through: 'False'2 ?: I5 R$ u9 k& V- v+ K- M2 J
--- Anonymous User ---4 G+ v) Z1 K J9 X$ d' S
Anonymous User name: 'IUSR_SERVER'
1 x' T5 B$ q5 LAnonymous User password: 'x1fj5h_iopNNsp'1 W g* C1 y; |+ x8 w8 z3 a( @% A
Password synchronization: 'False'
/ ?2 y3 x, l( A' Z+ X9 Y S" c" P9 _' ]--- IIS Logs DSN User --- \5 X. z v0 `, m/ z
ODBC DSN name: 'HTTPLOG'& _8 p1 U. t, D
ODBC table name: 'InternetLog'
G3 k$ V$ g `- A2 UODBC User name: 'InternetAdmin'9 y3 b( x Y6 k1 v c8 S: q/ u3 r
ODBC User password: 'xxxxxx'6 Z& L# ? i+ m ?/ U8 ?3 E7 k
--- Web Applications User ---
- V8 s! r7 f. t- m5 x+ X0 R: M" yWAM User name: 'IWAM_SERVER'
5 _3 v; o* f% m( T5 n; fWAM User password: 'Aj8_g2sAhjlk2'
) w/ Q2 ]5 b4 ?9 h# l0 tDefault Logon Domain: ''
7 t2 F3 N8 _ } I) L% i". ]7 P2 W8 q8 ^" N9 U
For example, you can imagine the following scenario:
3 A8 N6 [$ B. h- W) m5 s9 OA user Bob is allowed to logon only on a server hosting IIS 4.0, say
8 U# ^, N; H- [! Z& e) aserver (a). He need not to be an Administrator. He can be for example. n8 x$ m. s7 {7 A
an IIS 4.0 Web Site Operator. Then, he launches a WSH script that extracts F0 h) A9 Y" \& l
the login name and password of the account used to access to a virtual/ G/ p' U2 o+ ?6 K7 K$ q
directory located on another server, say (b).1 m! s4 V; {& H; m3 b
Now, Bob can use these login name and passord to logon on server (b).
! Z0 X$ ]3 G8 Z5 l) e& Y: @And so forth...; ^; V' \' T% h+ I
Microsoft was informed of this vulnerability.
$ K2 Z1 n2 e+ U& ________________________________________________________________________
+ O& C3 a; y+ u8 h, D" f; y9 Y& b: {Patrick CHAMBET - pchambet@club-internet.fr* T! f- C1 f2 M
MCP NT 4.0" h8 Y0 O9 ?6 }
Internet, Security and Microsoft solutions" A, k( D: |. v A$ W
e-business Services. S: r# o# Z: ]# o4 M4 h$ |
IBM Global Services
0 }/ U9 w/ D7 Z4 H, k! A |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2011-1-12 21:01:17
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡