根据以前的发现,windowsNT密码虽然不象Windows95那样以简单加密形式包含在一个文件里面,而是一些杂乱的暗码,分别藏在7个不同的地方。这篇最新发表的文章告诉我们WindowsNT密码隐藏的第八个地方。Date: Mon, 22 Feb 1999 11:26:41 +0100
8 j! N; G3 Q5 P8 u3 j! x7 N
% b9 C; {8 h) Z8 LFrom: Patrick CHAMBET <pchambet@club-internet.fr>
% q) b+ Y; s8 K8 E" v* R- L, R: \
`# E3 l& } ]" ]3 ]To: sans@clark.net& E' x2 v& w8 J) J$ ^2 M2 s! x
Subject: Alert: IIS 4.0 metabase can reveal plaintext passwords
|+ T, R3 n9 O8 F) ^Hi all,
* c' ]4 h1 z/ g8 _% |3 x6 b7 ZWe knew that Windows NT passwords are stored in 7 different places across4 a" f. _9 u0 C$ ^6 f
the system. Here is a 8th place: the IIS 4.0 metabase.
/ q4 d. c3 Q/ ~/ w9 w7 ]IIS 4.0 uses its own configuration database, named "metabase", which can
, ]5 v" F# U2 [be compared to the Windows Registry: the metabase is organised in Hives,& I4 s5 B3 Y$ V0 y0 B6 _9 V
Keys and Values. It is stored in the following file:7 T3 O( n" b5 e: ^* y
C:\WINNT\system32\inetsrv\MetaBase.bin/ I# }. w% v4 O* k+ J( H
The IIS 4.0 metabase contains these passwords:
; k3 _7 B& b, ]& r! |' M- IUSR_ComputerName account password (only if you have typed it in the% i; y) U) P! x2 w' w
MMC) r. r8 d$ S" O( L3 [3 e- {" [
- IWAM_ComputerName account password (ALWAYS !)) b9 s1 _ G4 y
- UNC username and password used to connect to another server if one of
( D& J5 W. p! N* Gyour virtual directories is located there.
) w3 }. r/ ?8 U3 z& Q4 j- The user name and password used to connect to the ODBC DSN called
, ^8 H9 A, n c$ U. O"HTTPLOG" (if you chose to store your Logs into a database).# b+ r! h$ l5 E+ G4 y6 H
Note that the usernames are in unicode, clear text, that the passwords are
# _& ^/ F( ~1 psrambled in the metabase.ini file, and that only Administrators and SYSTEM7 `* H2 |& j# i6 {8 p
have permissions on this file.
- h% L9 t" T% |7 m( W' i; `BUT a few lines of script in a WSH script or in an ASP page allow to print
/ J# _- D6 i1 n4 m+ P& ]! Rthese passwords in CLEAR TEXT.
% T v4 H% N9 D. h$ I2 M MThe user name and password used to connect to the Logs DSN could allow a
& l; J! F1 k: |2 z- ^5 Pmalicious user to delete traces of his activities on the server.
! z: _+ m6 V4 O9 ]Obviously this represents a significant risk for Web servers that allow5 W5 D' I7 f2 C6 P$ W# V
logons and/or remote access, although I did not see any exploit of the
2 b- k8 \) l' Y. Y/ P, u3 A/ Eproblem I am reporting yet. Here is an example of what can be gathered:9 u- s& ?# a! c/ r* h: u
"
3 z) p7 J* h, X# W5 j! rIIS 4.0 Metabase/ a& ?3 ?' m3 R9 s8 P5 |8 ], ?1 @8 n
?Patrick Chambet 1998 - pchambet@club-internet.fr
o- A. v, f5 g0 u" u( ]3 u--- UNC User ---
) J) N) K% S8 cUNC User name: 'Lou') q" Z9 i4 @9 p2 s4 r$ c% ]
UNC User password: 'Microsoft'- ^# A$ n- X1 Q8 f# K4 Q0 I3 S9 J4 b
UNC Authentication Pass Through: 'False') g; }* a+ i" j
--- Anonymous User ---6 ?( i) o5 G$ x! N4 [, Q
Anonymous User name: 'IUSR_SERVER'
' G a# T+ p# j7 T& k) x; N' _- `Anonymous User password: 'x1fj5h_iopNNsp'
8 Z7 A, S& v4 J- Y; B' tPassword synchronization: 'False'
- {1 K' l" o; R* B9 {--- IIS Logs DSN User ---3 M( t- a; ]( ~+ W8 }
ODBC DSN name: 'HTTPLOG'
# o& }- Z7 }0 [ODBC table name: 'InternetLog'
, @* k5 C8 n4 bODBC User name: 'InternetAdmin'
# `1 K0 ]% H0 G7 a& uODBC User password: 'xxxxxx'+ z; w% [' w* x% f% E
--- Web Applications User ---1 h, g6 o6 F( {5 P0 Q6 H: y4 O
WAM User name: 'IWAM_SERVER'2 n0 d0 M" K' L& i) R5 U4 L/ ^
WAM User password: 'Aj8_g2sAhjlk2'* _( v3 \& x3 j# q+ l3 w- j
Default Logon Domain: ''
8 y8 S$ ], B+ v$ r5 d# p, {$ \* w"6 O& q$ f0 f7 ~
For example, you can imagine the following scenario:1 D/ C1 J; [ D' x$ e* `
A user Bob is allowed to logon only on a server hosting IIS 4.0, say
' Q5 C0 A$ t- {6 Z* @) x3 h9 Userver (a). He need not to be an Administrator. He can be for example
# W0 k' x+ U) Z5 m9 `8 _& Aan IIS 4.0 Web Site Operator. Then, he launches a WSH script that extracts# m! t) e, }- i
the login name and password of the account used to access to a virtual
$ j( ?, A$ a, b1 J$ O# a/ l4 Z: Udirectory located on another server, say (b).
% Z- H. L, h" O; ~, fNow, Bob can use these login name and passord to logon on server (b).8 Q' C+ K+ ~7 W$ k
And so forth...# p) E r* o$ |2 E
Microsoft was informed of this vulnerability.
) U. X/ {9 {) J2 E' H_______________________________________________________________________
& b# L; G* a2 |Patrick CHAMBET - pchambet@club-internet.fr0 Q* l |+ A- [: I
MCP NT 4.0
5 ]6 G/ ]( d6 {8 A: C9 EInternet, Security and Microsoft solutions6 ]5 W- c7 j. W4 `/ u9 c
e-business Services3 N5 q( C& Q) v4 O* ]9 Z$ b
IBM Global Services
2 g$ p& Y& V b6 m b* t% N |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2011-1-12 21:01:17
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡