NT的密码究竟放在哪

根据以前的发现,windowsNT密码虽然不象Windows95那样以简单加密形式包含在一个文件里面,而是一些杂乱的暗码,分别藏在7个不同的地方。这篇最新发表的文章告诉我们WindowsNT密码隐藏的第八个地方。Date: Mon, 22 Feb 1999 11:26:41 +0100
- B8 r+ X; v9 e0 _: s8 \! L, o, L
6 \* H) w7 T, E: G6 w; Z  iFrom: Patrick CHAMBET <pchambet@club-internet.fr>

To: sans@clark.net
4 X5 }' e: |# s- x' XSubject: Alert: IIS 4.0 metabase can reveal plaintext passwords
( }' C! q; v% @* @# EHi all,
We knew that Windows NT passwords are stored in 7 different places across
6 z. ^7 p  x  h; U1 gthe system. Here is a 8th place: the IIS 4.0 metabase.
IIS 4.0 uses its own configuration database, named "metabase", which can
; t4 T) ?& W$ S0 ~/ p: x9 obe compared to the Windows Registry: the metabase is organised in Hives,
9 i& j( a+ d" a+ d5 o/ X- z9 `Keys and Values. It is stored in the following file:
$ K; n; b% Y$ T  JC:\WINNT\system32\inetsrv\MetaBase.bin
The IIS 4.0 metabase contains these passwords:
- IUSR_ComputerName account password (only if you have typed it in the
( @9 y+ q% b+ `. e* x# xMMC)
$ O1 g$ u' r( c4 _7 C7 D% T4 p- IWAM_ComputerName account password (ALWAYS !)
9 _: r: J+ V4 M( P* |! |3 y- UNC username and password used to connect to another server if one of
your virtual directories is located there.
0 q3 G9 L6 y# Z6 N2 z- The user name and password used to connect to the ODBC DSN called
# V; P" X: X7 n# C( |4 _. R' d"HTTPLOG" (if you chose to store your Logs into a database).
7 [: k) U% O. r$ B5 I: lNote that the usernames are in unicode, clear text, that the passwords are
7 v/ P9 l$ P9 S  I5 Bsrambled in the metabase.ini file, and that only Administrators and SYSTEM
( ^% \+ h  ^0 _) R1 y! Z+ W) Ahave permissions on this file.
BUT a few lines of script in a WSH script or in an ASP page allow to print
  J7 Y5 {2 K3 o2 y: }1 A# _these passwords in CLEAR TEXT.
The user name and password used to connect to the Logs DSN could allow a
8 l7 S1 ?/ B5 tmalicious user to delete traces of his activities on the server.
Obviously this represents a significant risk for Web servers that allow
logons and/or remote access, although I did not see any exploit of the
problem I am reporting yet. Here is an example of what can be gathered:
3 K! }, M2 R8 e0 ~! ["
  O: m, c1 y0 T; W4 P& h0 BIIS 4.0 Metabase
?Patrick Chambet 1998 - pchambet@club-internet.fr
--- UNC User ---
UNC User name: 'Lou'
. ?4 Q1 M* D7 d/ _3 A7 zUNC User password: 'Microsoft'
UNC Authentication Pass Through: 'False'
3 e. S5 {3 T; M6 i  t: S--- Anonymous User ---
Anonymous User name: 'IUSR_SERVER'
Anonymous User password: 'x1fj5h_iopNNsp'
0 d& `- U; V3 M4 J: X0 OPassword synchronization: 'False'
+ O  X; n6 b8 n# H4 M$ w$ I--- IIS Logs DSN User ---
ODBC DSN name: 'HTTPLOG'
ODBC table name: 'InternetLog'
9 n2 M5 w4 G8 xODBC User name: 'InternetAdmin'
9 o" E( g2 U  \  {ODBC User password: 'xxxxxx'
) m9 m# M5 O9 G* e( S--- Web Applications User ---
7 E2 R% V2 J0 @7 _. D( ~' KWAM User name: 'IWAM_SERVER'
% d; ^9 {2 v2 o6 D& nWAM User password: 'Aj8_g2sAhjlk2'
: g9 @6 Y( w/ ~7 QDefault Logon Domain: ''
"
# R& R% q# z+ {; v) b: mFor example, you can imagine the following scenario:
A user Bob is allowed to logon only on a server hosting IIS 4.0, say
! l2 K8 t7 _0 f& I9 Y# Oserver (a). He need not to be an Administrator. He can be for example
7 ~2 `8 g2 v% ^; A! jan IIS 4.0 Web Site Operator. Then, he launches a WSH script that extracts
the login name and password of the account used to access to a virtual
2 b. P! U1 u* Rdirectory located on another server, say (b).
+ i# f/ @0 l/ S8 lNow, Bob can use these login name and passord to logon on server (b).
And so forth...
Microsoft was informed of this vulnerability.
5 D* }1 z" q0 {6 L' `_______________________________________________________________________
/ g& K& M% _: {1 vPatrick CHAMBET - pchambet@club-internet.fr
MCP NT 4.0
Internet, Security and Microsoft solutions
, [( _! B- r: `2 we-business Services
IBM Global Services