NT的密码究竟放在哪

根据以前的发现,windowsNT密码虽然不象Windows95那样以简单加密形式包含在一个文件里面,而是一些杂乱的暗码,分别藏在7个不同的地方。这篇最新发表的文章告诉我们WindowsNT密码隐藏的第八个地方。Date: Mon, 22 Feb 1999 11:26:41 +0100

2 c% }) g, P( g- y+ u7 @From: Patrick CHAMBET <pchambet@club-internet.fr>

# l2 R* J; k) }8 D1 y- KTo: sans@clark.net
Subject: Alert: IIS 4.0 metabase can reveal plaintext passwords
Hi all,
We knew that Windows NT passwords are stored in 7 different places across
7 z, d* Z" V. z# W& q& b1 J) }the system. Here is a 8th place: the IIS 4.0 metabase.
5 t; P7 u( z1 h; gIIS 4.0 uses its own configuration database, named "metabase", which can
be compared to the Windows Registry: the metabase is organised in Hives,
Keys and Values. It is stored in the following file:
C:\WINNT\system32\inetsrv\MetaBase.bin
' Q, d9 @  B4 [* S: ^  dThe IIS 4.0 metabase contains these passwords:
- IUSR_ComputerName account password (only if you have typed it in the
4 H$ m& Q: u- z5 D' r6 w, r" sMMC)
9 p7 y; ?! h( H5 Y6 j# [- IWAM_ComputerName account password (ALWAYS !)
- UNC username and password used to connect to another server if one of
your virtual directories is located there.
/ C0 b4 b) u0 c1 N: T# d9 [- The user name and password used to connect to the ODBC DSN called
; q  z/ L% t2 l* _; t# x7 {"HTTPLOG" (if you chose to store your Logs into a database).
6 z, e5 X- m1 v0 b' bNote that the usernames are in unicode, clear text, that the passwords are
srambled in the metabase.ini file, and that only Administrators and SYSTEM
have permissions on this file.
BUT a few lines of script in a WSH script or in an ASP page allow to print
these passwords in CLEAR TEXT.
The user name and password used to connect to the Logs DSN could allow a
7 z9 N2 A( p0 Imalicious user to delete traces of his activities on the server.
Obviously this represents a significant risk for Web servers that allow
logons and/or remote access, although I did not see any exploit of the
problem I am reporting yet. Here is an example of what can be gathered:
"
8 X+ F3 ?7 ?1 m' i/ w6 bIIS 4.0 Metabase
?Patrick Chambet 1998 - pchambet@club-internet.fr
' L; [0 q8 a# W8 @) |0 }--- UNC User ---
5 O: v  r0 N, k$ Z# wUNC User name: 'Lou'
UNC User password: 'Microsoft'
UNC Authentication Pass Through: 'False'
--- Anonymous User ---
- l4 }! @* D" v: J8 R  MAnonymous User name: 'IUSR_SERVER'
Anonymous User password: 'x1fj5h_iopNNsp'
Password synchronization: 'False'
, W8 M. v+ Z8 X6 Z--- IIS Logs DSN User ---
' ?. V0 `# C- M# N  o: z9 XODBC DSN name: 'HTTPLOG'
ODBC table name: 'InternetLog'
5 T8 ~$ U2 e( b; T8 zODBC User name: 'InternetAdmin'
! i# w( q( p9 j1 M0 k) ^' b  |ODBC User password: 'xxxxxx'
--- Web Applications User ---
! e9 E1 v: q$ L- C; B, M% x6 VWAM User name: 'IWAM_SERVER'
% t0 r$ G0 Y1 F' bWAM User password: 'Aj8_g2sAhjlk2'
" [  h7 F# ?9 o1 G2 q% j6 \2 VDefault Logon Domain: ''
"
. l$ P8 g  ]: ~1 V7 S5 ~For example, you can imagine the following scenario:
! y/ B! U9 v) p! z9 V+ JA user Bob is allowed to logon only on a server hosting IIS 4.0, say
server (a). He need not to be an Administrator. He can be for example
8 b, X4 W4 o, B" M  V) _' man IIS 4.0 Web Site Operator. Then, he launches a WSH script that extracts
the login name and password of the account used to access to a virtual
directory located on another server, say (b).
: n5 u- Y: b+ H0 q4 I4 {- K: N( pNow, Bob can use these login name and passord to logon on server (b).
: `, f! r; K6 z' C' MAnd so forth...
) X% ^4 Q  F& z9 c' n: aMicrosoft was informed of this vulnerability.
: }! \9 Z8 e# ?; U2 p; T9 ^_______________________________________________________________________
Patrick CHAMBET - pchambet@club-internet.fr
- s2 D+ X5 G6 W3 dMCP NT 4.0
Internet, Security and Microsoft solutions
e-business Services
8 E6 ~6 d# k% Z) |. o9 G5 t- Q" zIBM Global Services