根据以前的发现,windowsNT密码虽然不象Windows95那样以简单加密形式包含在一个文件里面,而是一些杂乱的暗码,分别藏在7个不同的地方。这篇最新发表的文章告诉我们WindowsNT密码隐藏的第八个地方。Date: Mon, 22 Feb 1999 11:26:41 +0100
) b! v$ @$ i8 ]0 \# [9 y" M4 x
' M3 Q7 Y# \5 D$ IFrom: Patrick CHAMBET <pchambet@club-internet.fr>
" ] N. W: J3 h9 H- l' r; l5 t; D: M% }/ x( X
To: sans@clark.net ^9 I( w) ^/ W4 d# a
Subject: Alert: IIS 4.0 metabase can reveal plaintext passwords
4 h* k! J# f, c3 zHi all,
7 s+ w, q# C4 B* j7 fWe knew that Windows NT passwords are stored in 7 different places across
4 a; j4 G+ ^* Cthe system. Here is a 8th place: the IIS 4.0 metabase.7 ?: c7 A7 I2 U' E: @# W
IIS 4.0 uses its own configuration database, named "metabase", which can) G+ W( m# q! i2 t }
be compared to the Windows Registry: the metabase is organised in Hives,+ T6 }% i0 ^0 T2 u5 a3 O
Keys and Values. It is stored in the following file:: }, s8 ^& E5 \1 B) G( T( ~
C:\WINNT\system32\inetsrv\MetaBase.bin- {& S. X& v" I- ]- e6 E
The IIS 4.0 metabase contains these passwords:( C' F8 t- W% W# c( W! q6 q
- IUSR_ComputerName account password (only if you have typed it in the# E8 b! d: P8 j, S$ ~
MMC)6 e$ o7 n1 W4 A# F0 P# u
- IWAM_ComputerName account password (ALWAYS !)+ c& I* Z# V' t J% O
- UNC username and password used to connect to another server if one of% I9 s! U8 U0 N5 ^7 p& k
your virtual directories is located there.
; p( c5 v7 |- G( r+ n) n( {' s- The user name and password used to connect to the ODBC DSN called
, m6 \+ M7 \/ T+ T3 L"HTTPLOG" (if you chose to store your Logs into a database).
% U* s( c3 x0 h6 L; X# `0 wNote that the usernames are in unicode, clear text, that the passwords are' h* c% Y1 j( R9 D) B e0 p
srambled in the metabase.ini file, and that only Administrators and SYSTEM" h, b' w$ ~1 t( L. _8 E$ p" ]) c4 p
have permissions on this file. C2 _( l; L2 |. d* o
BUT a few lines of script in a WSH script or in an ASP page allow to print
0 p9 Z# l! o/ {0 Z' E% Y0 j+ ?these passwords in CLEAR TEXT.
4 k J! ?8 X- ]7 UThe user name and password used to connect to the Logs DSN could allow a
E# p, J: b. ~/ a. C# u* umalicious user to delete traces of his activities on the server.
' Z$ P2 p; h6 \9 v2 z4 ]- ^Obviously this represents a significant risk for Web servers that allow2 Q- g* ]( e0 T
logons and/or remote access, although I did not see any exploit of the
5 Y/ B( k4 E1 @/ W3 A8 sproblem I am reporting yet. Here is an example of what can be gathered:
4 O9 A) p. C& Y- Y/ k"/ z. J, [ u& s9 B# c5 Q; F" K, [
IIS 4.0 Metabase
8 c( B" }' v% [?Patrick Chambet 1998 - pchambet@club-internet.fr9 M- k) }& k" }$ z4 W
--- UNC User ---
9 S' V3 m m" F O8 W$ h8 KUNC User name: 'Lou'
; C4 I. W" L) @: v6 QUNC User password: 'Microsoft'' E6 | m7 y D5 ?+ `2 t
UNC Authentication Pass Through: 'False'
) @/ F7 ?9 z' z. f$ W* ]( i4 x--- Anonymous User ---
7 u; B* [2 y$ ~8 t6 Q5 d/ SAnonymous User name: 'IUSR_SERVER'
( {. J1 a$ U: w- ]. |, N5 FAnonymous User password: 'x1fj5h_iopNNsp'! A4 d7 r( F7 _" }7 X _1 r; D6 [0 i
Password synchronization: 'False'
+ W" Y) z' s0 h0 u3 _0 \8 B--- IIS Logs DSN User ---
\! f% y* B7 v8 y5 J, F7 ZODBC DSN name: 'HTTPLOG'
' Y0 D8 E, Q7 f& E( R, sODBC table name: 'InternetLog'+ R7 a2 }1 U' g& a9 I' C
ODBC User name: 'InternetAdmin'
$ u- q" R; X* O7 VODBC User password: 'xxxxxx'; v5 q- c- H$ h' }
--- Web Applications User ---
1 N0 I" p- O- Z, |& q5 o. e. s6 vWAM User name: 'IWAM_SERVER'
: K- t- M/ `9 m/ U) H! m( m8 B/ @WAM User password: 'Aj8_g2sAhjlk2'3 B( E3 D2 S' S1 B6 u2 \: |5 u
Default Logon Domain: ''
* X- c' i1 ?5 O2 R0 _"
2 ]; Z8 F" E# r( n- {For example, you can imagine the following scenario:- Q7 e( w) X" x3 D
A user Bob is allowed to logon only on a server hosting IIS 4.0, say6 G# s7 K+ r# S1 ^* e
server (a). He need not to be an Administrator. He can be for example
% }6 b3 y& ?9 N; S5 oan IIS 4.0 Web Site Operator. Then, he launches a WSH script that extracts
, w+ {7 N$ X9 l) J% a) B/ ^. D7 ]the login name and password of the account used to access to a virtual
4 p" Z. O8 Y: s- \& Zdirectory located on another server, say (b).
6 E4 }& t8 i7 F# LNow, Bob can use these login name and passord to logon on server (b).
4 e0 [$ p! ?& b8 D. J- nAnd so forth...
. K0 ^" a: r" ~# u- ]# h! a* bMicrosoft was informed of this vulnerability.
: N2 G8 a( Z) W h/ m- `8 A_______________________________________________________________________
9 ` X/ x7 d/ C8 lPatrick CHAMBET - pchambet@club-internet.fr. r3 f8 I6 e4 m, d2 P& ]
MCP NT 4.0
& u# n9 W' ]) ]0 KInternet, Security and Microsoft solutions! u! I+ X) s6 Z) [% X
e-business Services7 |$ K# K" G' a0 F4 h
IBM Global Services
% m, g4 H! ]) [/ v* N2 b |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2011-1-12 21:01:17
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡