NT的密码究竟放在哪

根据以前的发现,windowsNT密码虽然不象Windows95那样以简单加密形式包含在一个文件里面,而是一些杂乱的暗码,分别藏在7个不同的地方。这篇最新发表的文章告诉我们WindowsNT密码隐藏的第八个地方。Date: Mon, 22 Feb 1999 11:26:41 +0100

From: Patrick CHAMBET <pchambet@club-internet.fr>
% @+ |0 D: a% M/ X$ U+ I) I7 h
% R( m  r0 W3 BTo: sans@clark.net
Subject: Alert: IIS 4.0 metabase can reveal plaintext passwords
Hi all,
We knew that Windows NT passwords are stored in 7 different places across
2 V2 d4 g1 r( m) s" R! Cthe system. Here is a 8th place: the IIS 4.0 metabase.
1 \4 @6 ^7 |+ C+ I$ Z" X% t. qIIS 4.0 uses its own configuration database, named "metabase", which can
be compared to the Windows Registry: the metabase is organised in Hives,
Keys and Values. It is stored in the following file:
C:\WINNT\system32\inetsrv\MetaBase.bin
The IIS 4.0 metabase contains these passwords:
- IUSR_ComputerName account password (only if you have typed it in the
$ r. J: B" b/ H1 ~, h. PMMC)
( x1 R; t' f4 `0 m- IWAM_ComputerName account password (ALWAYS !)
- UNC username and password used to connect to another server if one of
/ Z4 m7 L0 [0 Y+ C3 v4 M, Oyour virtual directories is located there.
- The user name and password used to connect to the ODBC DSN called
! ?8 u( J+ \1 q+ f9 f+ ~& r"HTTPLOG" (if you chose to store your Logs into a database).
, `( p% [$ o! y: r7 T- pNote that the usernames are in unicode, clear text, that the passwords are
srambled in the metabase.ini file, and that only Administrators and SYSTEM
' U! E4 I8 [% Y7 L" _. |2 j; \have permissions on this file.
7 K1 O8 D- H) [/ EBUT a few lines of script in a WSH script or in an ASP page allow to print
these passwords in CLEAR TEXT.
! D0 C2 e9 e* s+ I" dThe user name and password used to connect to the Logs DSN could allow a
3 W+ A: P1 V3 C% S* ^+ amalicious user to delete traces of his activities on the server.
% ~. J2 P0 Q" `* E, kObviously this represents a significant risk for Web servers that allow
7 R. N3 d$ m6 q( C6 {& v$ G: B- ~1 Llogons and/or remote access, although I did not see any exploit of the
/ d: }( R5 e1 ], B' cproblem I am reporting yet. Here is an example of what can be gathered:
"
8 r' ]9 k: s9 a" jIIS 4.0 Metabase
2 }* q, A1 `% g4 A3 K& F?Patrick Chambet 1998 - pchambet@club-internet.fr
) n& m5 l/ O! ~- {$ ^. `* }--- UNC User ---
$ g6 W( @# P# C! mUNC User name: 'Lou'
UNC User password: 'Microsoft'
7 U8 ?0 Q8 H! O% n9 p) @UNC Authentication Pass Through: 'False'
7 U. t$ a0 j: V8 [0 h--- Anonymous User ---
Anonymous User name: 'IUSR_SERVER'
Anonymous User password: 'x1fj5h_iopNNsp'
1 I+ h  v, f$ t2 [; pPassword synchronization: 'False'
--- IIS Logs DSN User ---
ODBC DSN name: 'HTTPLOG'
ODBC table name: 'InternetLog'
ODBC User name: 'InternetAdmin'
" @+ B6 S: h& U5 }' w! mODBC User password: 'xxxxxx'
( l. @2 Q, Q3 ]8 y! G' x--- Web Applications User ---
WAM User name: 'IWAM_SERVER'
WAM User password: 'Aj8_g2sAhjlk2'
3 O. m2 f/ w" }6 U& m$ q% l$ X" d0 dDefault Logon Domain: ''
: C9 n3 c' P) j- D2 j9 m"
+ R' D  M9 t, }5 o: fFor example, you can imagine the following scenario:
A user Bob is allowed to logon only on a server hosting IIS 4.0, say
server (a). He need not to be an Administrator. He can be for example
an IIS 4.0 Web Site Operator. Then, he launches a WSH script that extracts
; _8 T, k/ p/ gthe login name and password of the account used to access to a virtual
directory located on another server, say (b).
Now, Bob can use these login name and passord to logon on server (b).
1 a$ l' G% B6 H" l; rAnd so forth...
+ J: z) f3 q* f5 q; m& QMicrosoft was informed of this vulnerability.
+ C* a- P. e0 r% z: x2 k) ~& E" R_______________________________________________________________________
Patrick CHAMBET - pchambet@club-internet.fr
# h& ^- `( _& R4 }) N. R. ^MCP NT 4.0
Internet, Security and Microsoft solutions
4 e/ Z' j4 \. `- X& }. ]! K; Se-business Services
IBM Global Services